eureka icon indicating copy to clipboard operation
eureka copied to clipboard

Published 20 hours ago verified publisher icon Netflix

Whitesource vulnerabilities in eureka-client and eureka-server

Open AmitAmar opened this issue 3 years ago • 3 comments

Hi,

We are using eureka-client and eureka-server (version: 1.10.13) and we saw some vulnerabilities in your jars:

log4j-1.2.16.jar jackson-dataformat-cbor-2.6.7.jar xstream-1.4.15.jar

Do you know when those vulnerabilities will be fixed?

Thanks and have a nice day,

Amit.

AmitAmar avatar Apr 11 '21 19:04 AmitAmar

xstream updated, PRs welcome for the other two.

troshko111 avatar Apr 13 '21 17:04 troshko111

Done :)

https://github.com/Netflix/eureka/pull/1388

Thank you!

AmitAmar avatar Apr 22 '21 10:04 AmitAmar

Hi Team,

I would like to create a new patch to address the issue, because eureka-server still has log4j-1.2.16.jar and jackson-dataformat-cbor-2.6.7.jar.

I would like to upgrade all slf4j libraries to 1.7.35 (to get rid of log4j-1.2.16), upgrade all jackson libraries to 2.11.4 plus explicitly specify jackson-dataformat-cbor version (2.6.7 arrives from aws-java-sdk-core).

Any objection?

Best regards, Kostyantyn

kkrakovych avatar Feb 01 '22 14:02 kkrakovych