Uploaded image for project: 'Ignite'
  1. Ignite
  2. IGNITE-13464

Ignite-rest-http modules includes vulnerable dependencies

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 2.9, 2.8.1
    • 2.12
    • rest
    • None

    Description

      The ignite-rest-http module includes a vulnerable version of the log4j library. It also appears to include slf4j. Why does the REST API include its own logging libraries?

      This was spotted in 2.8.1 but still appears to be an issue in master and 2.9.

      More here:

      http://apache-ignite-users.70518.x6.nabble.com/critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-log4j-1-r-td34031.html

      Attachments

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. IGNITE-13601 Ignite-rest-http and ignite-kubernetes include vulnerable dependencies

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved
          links to

          Web Link GitHub Pull Request #9676

          Activity

            People

              RyzhovSV Sergei Ryzhov
              sdarlington Stephen Darlington
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m