You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Nitin Gupta (Jira)" <ji...@apache.org> on 2021/07/16 04:22:00 UTC

[jira] [Created] (OAK-9496) oak-solr-osgi embeds vulnerable Apache ZooKeeper

Nitin Gupta created OAK-9496:
--------------------------------

             Summary: oak-solr-osgi  embeds vulnerable Apache ZooKeeper
                 Key: OAK-9496
                 URL: https://issues.apache.org/jira/browse/OAK-9496
             Project: Jackrabbit Oak
          Issue Type: Bug
            Reporter: Nitin Gupta


This artifact embeds Apache ZooKeeper 3.4.6 which contains the following vulnerabilitie(s):
 * *CVE-2016-5017* (CVSS 6.8 Medium): Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
 * *BDSA-2018-1712 (CVE-2018-8012)* (CVSS 7.5 High): An attacker controlled rogue end point can connect to Apache ZooKeeper without authentication and propagate counterfeit changes to the cluster.

h3. Recommendation

Apply one of the following suggestions:
 * Remove usage and dependency
 * Upgrade to a vulnerability free version of the embedded library. If none is available, upgrade to a less vulnerable version (lower CVSS Score)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)