Open NeelabhKher opened 3 years ago
@mbiarnes any guidance is highly appreciated
@NeelabhKher All deps are coming from wars. These wars (with deps) are downloaded from kiegroups/
This impacts us still 7.55.0 version and being flagged by X-Ray Vulnerability Scanning.
Does it even impact the 7.56 version ?
Yes still impacts the 7.56 version. I'm thinking it's something with the current Wildfly version used.
thanks for information
Any update on this one ?
@NeelabhKher HI - I would scan again. Because I think many version have been updated in the meantime.
In my use case, this is getting scanned against JFrog X-Ray vulnerability scanning. Here are the critical issues that pop up.
CVE-2016-2141 Critical | CVE-2016-2141 | org.jgroups:jgroups:3.3.4.Final CVE-2018-1000134 | com.unboundid:unboundid-ldapsdk:3.2.0 CVE-2017-12629 | org.apache.lucene:lucene-queryparser / 6.6.1 CVSS V3: 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Lxml unspecified encoded path traversal remote file write | CVE-2017-1000158 | Cpython (aka python) up to 2.7.13 is vulnerable to an integer overflow CVE-2017-7465 | xalan | It was found that the jaxp implementation used in jboss eap 7.0 for xslt processing is vulnerable to code injection CVSS V3: 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| io.fabric8:kubernetes-client | Fabric8 kubernetes-client contains a flaw that allows traversing outside of a restricted path. the issue is due to the podoperationsimpl::copydir() function in
This was ran on version 7.62 on the image available from Quay
@NeelabhKher @mpsz76 Hi, would be nice if you guys can advise which versions have no vulnerability. i.e. com.unboundid:unboundid-ldapsdk:3.2.0 -- com.unboundid:unboundid-ldapsdk:??? There are some dependencies coming from EAP7 - this we can't change.
In my situation, the company did not scan intranet applications until January 2021. Currently, on 7.37 which was not scanned. The first scan was on 7.54 which has the same vulnerabilities as listed above.
I need help with security vulnerabilities . We ran scan with Aqua Sec SaaS offering on the latest Image on Docker : https://hub.docker.com/r/jboss/kie-server-showcase/tags?page=1&ordering=last_updated and below are the detailed finding for Security vulnerabilities.
Any direction to mitigate them or mitigate in next release will be help ful.