Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

dcaegen2/collectors/hv-ves security vulnerabilities

Description

Following vulnerability identified under CLM scan; upgrade to version specified (last column)

 

 dcaegen2/collector/hv-ves

 com.google.guava : guava : 19.0

 

 

 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class
The application is vulnerable by using this component if it uses Java deserialization or GWT-RPC to deserialize untrusted data.

 Upgrade to 23.6.1-jre

100% Done
0

Confluence content

mentioned on

Activity

Show:

Former user March 18, 2019 at 7:05 AM

Thank you for the hint. We now have 0 security issues.

Former user March 15, 2019 at 3:24 PM

Nice work! You can trigger the CLM jon on demand using "run-clm" keyword.

Let me know if you need help getting the report.

Former user March 15, 2019 at 11:55 AM

After fixes dependency tree contains no jackson nor guava-19. Waiting for new CLM scan to confirm.

Former user February 28, 2019 at 2:43 PM

The dependency is a transitive dependency from latest version of "com.google.protobuf:protobuf-java-util". It is used only in simulators (used in CSIT tests to simulate xNF and analytics application). We will try to manually force to use newer Guava but because of non-backward-compatibility it might be impossible. Should we get rid of this dependency even in non-production code?

Done

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Priority

Parent

Created February 11, 2019 at 4:45 AM
Updated July 10, 2019 at 8:03 PM
Resolved May 30, 2019 at 6:29 PM

Flag notifications