Whitesource vulnerabilities in eureka-client and eureka-server

Netflix / eureka

AWS Service registry for resilient mid-tier load balancing and failover.

Apache License 2.0

12.35k stars 3.74k forks source link

Whitesource vulnerabilities in eureka-client and eureka-server #1387

Open AmitAmar opened 3 years ago

AmitAmar commented 3 years ago

Hi,

We are using eureka-client and eureka-server (version: 1.10.13) and we saw some vulnerabilities in your jars:

log4j-1.2.16.jar jackson-dataformat-cbor-2.6.7.jar xstream-1.4.15.jar

Do you know when those vulnerabilities will be fixed?

Thanks and have a nice day,

Amit.

troshko111 commented 3 years ago

xstream updated, PRs welcome for the other two.

AmitAmar commented 3 years ago

Done :)

https://github.com/Netflix/eureka/pull/1388

Thank you!

kkrakovych commented 2 years ago

Hi Team,

I would like to create a new patch to address the issue, because eureka-server still has log4j-1.2.16.jar and jackson-dataformat-cbor-2.6.7.jar.

I would like to upgrade all slf4j libraries to 1.7.35 (to get rid of log4j-1.2.16), upgrade all jackson libraries to 2.11.4 plus explicitly specify jackson-dataformat-cbor version (2.6.7 arrives from aws-java-sdk-core).

Any objection?

Best regards, Kostyantyn