You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Ori Prog (Jira)" <ji...@apache.org> on 2022/02/03 09:52:00 UTC

[jira] [Commented] (CASSANDRA-17326) Security Bug

    [ https://issues.apache.org/jira/browse/CASSANDRA-17326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486339#comment-17486339 ] 

Ori Prog commented on CASSANDRA-17326:
--------------------------------------

Dear Benedict,
We don’t have an example for any actual attack of a specific CVE.Could you please clarify “The project regularly audits our exposure to CVEs”.
Do you scan Cassandra with your scanner and it is not exposed?
What tool do you user for the scans - OWASP Dependency Check or something else?

> Security Bug
> ------------
>
>                 Key: CASSANDRA-17326
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17326
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Ori Prog
>            Priority: Normal
>
> The Cassandra 3.11.11 uses _netty-all-4.0.44.Final.jar_
> This library has the following CVEs. {*}Part of these CVEs are critical{*}!
> Please upgrade to 4.1.71.Final
> CVE-2019-20445
> CVE-2019-20444
> CVE-2019-16869
> CVE-2020-7238
> CVE-2021-37136
> CVE-2021-37137
> CVE-2021-21409
> CVE-2021-43797
> CVE-2021-21295
> CVE-2021-21290



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org