You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ignite.apache.org by "timus1 (Jira)" <ji...@apache.org> on 2023/10/27 16:06:00 UTC

[jira] [Created] (IGNITE-20756) Partially unresolved OOM issue in thin client protocol handler caused by malicious or garbage data.

timus1 created IGNITE-20756:
-------------------------------

             Summary: Partially unresolved OOM issue in thin client protocol handler caused by malicious or garbage data.
                 Key: IGNITE-20756
                 URL: https://issues.apache.org/jira/browse/IGNITE-20756
             Project: Ignite
          Issue Type: Bug
          Components: thin client
    Affects Versions: 2.15
            Reporter: timus1


I understand that Issue Ignite-15921 is fixed in the 2.13 and above version of Ignite. I use the ignite-core 2.15 library in software, I do security scan software and dependent libraries through Nexus IQ. Nexus IQ report (sonatype-2021-4292) suggests that the fix in the ignite-core 2.15 via the above issue is partly fixed and does not address all the vulnerable code. They provided an advice deviation notice for ignite-core: 2.15.0, which I pasted below. I want to confirm if the ignite community agrees with this finding for the 2.15 version. If yes, Could you please consider addressing this vulnerability?

 

Advisories
Project[https://github.com/apache/ignite/pull/9610]
Projecthttps://issues.apache.org/jira/browse/IGNITE-15921
 
 
_Advisory Deviation Notice from Nexus IQ report:_ The Sonatype security research team discovered that the {{{}read(){}}}method in the {{GridNioServerBuffer}} class, also has the vulnerable portion of code in it and was not taken into account in the fix (IGNITE-15921).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)