Security framework of XStream not initialized, XStream is probably vulnerable.

oracle / opengrok

OpenGrok is a fast and usable source code search and cross reference engine, written in Java

http://oracle.github.io/opengrok/

Other

4.38k stars 754 forks source link

Security framework of XStream not initialized, XStream is probably vulnerable. #3377

Open vladak opened 4 years ago

vladak commented 4 years ago

From time to time I see the Security framework of XStream not initialized, XStream is probably vulnerable. warning in the Tomcat log. Not sure whether it needs to be addressed. For sure there is the xstream-1.4.12.jar file under the opengrok-web module.

vladak commented 4 years ago

https://stackoverflow.com/questions/44698296/security-framework-of-xstream-not-initialized-xstream-is-probably-vulnerable suggests this is something that should be taken care of in the direct consumer.

It seems that either jaxb-impl or chronicle-map use Xstream. The latter is more plausible given that the error messages tend to appear in the log in between suggester rebuild messages.

oacnhpkqxjhufwumkkqnshvlmheokqv commented 3 years ago

I'm seeing this in my logs too after deploying 1.5.10 in a staging environment.