You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ignite.apache.org by "Amelchev Nikita (Jira)" <ji...@apache.org> on 2021/12/21 10:13:00 UTC

[jira] [Updated] (IGNITE-13464) Ignite-rest-http, zookeeper modules includes vulnerable dependencies

     [ https://issues.apache.org/jira/browse/IGNITE-13464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Amelchev Nikita updated IGNITE-13464:
-------------------------------------
    Description: 
The ignite-rest-http, zookeeper module includes a [vulnerable version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. It also appears to include slf4j. Why does the REST API include its own logging libraries?

This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.

More here:

http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html

  was:
The ignite-rest-http module includes a [vulnerable version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. It also appears to include slf4j. Why does the REST API include its own logging libraries?

This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.

More here:

http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html


> Ignite-rest-http, zookeeper modules includes vulnerable dependencies
> --------------------------------------------------------------------
>
>                 Key: IGNITE-13464
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13464
>             Project: Ignite
>          Issue Type: Bug
>          Components: rest
>    Affects Versions: 2.9, 2.8.1
>            Reporter: Stephen Darlington
>            Assignee: Sergei Ryzhov
>            Priority: Blocker
>             Fix For: 2.12
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The ignite-rest-http, zookeeper module includes a [vulnerable version|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] of the log4j library. It also appears to include slf4j. Why does the REST API include its own logging libraries?
> This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.
> More here:
> http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html



--
This message was sent by Atlassian Jira
(v8.20.1#820001)