You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Dmitriy Pavlov <dp...@apache.org> on 2018/12/07 14:06:27 UTC
[ANNOUNCE] Apache Ignite 2.7.0 Vulnerable Dependecies Updates

The Apache Ignite Community is pleased to announce that recently released
Apache Ignite 2.7.0 replaces some vulnerable dependencies to versions with
fixes.



Apache Ignite https://ignite.apache.org/  is a memory-centric distributed
database, caching, and processing platform for transactional, analytical,
and streaming workloads delivering in-memory speeds at petabyte scale.



Apache Ignite 2.7 replaced following dependencies in to avoid usage of
vulnerable 3rd party software by end users:



Apache Log4j
https://nvd.nist.gov/vuln/detail/CVE-2017-5645

FasterXML jackson-databind
https://nvd.nist.gov/vuln/detail/CVE-2017-15095 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-17485 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-7525 ,

https://nvd.nist.gov/vuln/detail/CVE-2018-5968 ,

https://nvd.nist.gov/vuln/detail/CVE-2018-7489



Scala
https://nvd.nist.gov/vuln/detail/CVE-2017-15288

Apache Commons
https://nvd.nist.gov/vuln/detail/CVE-2015-6420 ,

https://nvd.nist.gov/vuln/detail/CVE-2015-7501 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-15708



Netty Project

https://nvd.nist.gov/vuln/detail/CVE-2016-4970

JCraft

https://nvd.nist.gov/vuln/detail/CVE-2016-5725



Apache Tomcat
https://nvd.nist.gov/vuln/detail/CVE-2016-3092 ,

https://nvd.nist.gov/vuln/detail/CVE-2016-8735 ,

https://nvd.nist.gov/vuln/detail/CVE-2018-8014


Guava
https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Apache Camel
https://nvd.nist.gov/vuln/detail/CVE-2015-5344 ,

https://nvd.nist.gov/vuln/detail/CVE-2015-5348 ,

https://nvd.nist.gov/vuln/detail/CVE-2016-8749 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-12633 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-12634  ,

https://nvd.nist.gov/vuln/detail/CVE-2017-3159 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-5643

Spring Framework

https://nvd.nist.gov/vuln/detail/CVE-2018-1257 ,

https://nvd.nist.gov/vuln/detail/CVE-2018-1258



Spring Data Commons

https://nvd.nist.gov/vuln/detail/CVE-2018-1259 ,

https://nvd.nist.gov/vuln/detail/CVE-2018-1273



Jetty

https://nvd.nist.gov/vuln/detail/CVE-2016-4800 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-9735 ,

https://nvd.nist.gov/vuln/detail/CVE-2016-4800 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-9735 ,

https://nvd.nist.gov/vuln/detail/CVE-2016-4800 ,

https://nvd.nist.gov/vuln/detail/CVE-2017-7658



Lucene
https://nvd.nist.gov/vuln/detail/CVE-2017-12629

Mitigation:
•    Upgrade to Apache Ignite 2.7 or later version



Credit:
Segu Riluvan discovered the usage of vulnerable modules in dependencies of
Apache Ignite.


Thanks for everyone who was involved into dependencies migration.

Best Regards,

Dmitriy Pavlov on behalf of Apache Ignite community