oodt-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Barber <...@spicule.co.uk>
Subject Re: CVEs etc
Date Tue, 12 Sep 2017 07:37:35 GMT
Thanks for the feedback chaps.

Lewis, the report is broken down into CVEs and the tools likelyhood of the
stuff it detected being accurate.

I think some stuff is pretty obvious, take for example Apache Commons
Collections, that had a Java Serialization bug that allowed for remote code
execution in 3.2.1 but is fixed in 3.2.2 (
https://commons.apache.org/proper/commons-collections/security-reports.html)
and the issue has been in the wild since 2015. We can tackle simple stuff
like this just by shipping an updated version, I assume 3.2.1 to 3.2.2
shouldn't prove too arduous and update.

Others like CVE-2016-6809 need a bit more digging as their severity is high
but confidence low, but turns out Tika did have a matlab exploit that
seemingly got addressed in 1.14.

As I said,  I'm not looking to run out there and ship a big release to fix
all of these, but its worth addressing as we move forward.

Tom

On Mon, Sep 11, 2017 at 5:31 PM, Sean Kelly <kelly@apache.org> wrote:

> Huh. That's a nifty tool.
>
> A little frightening.
>
> --k
>
>> Tom Barber <mailto:tom@spicule.co.uk>
>> 2017-09-9 at 8.03 a
>>
>> Hi folks
>>
>> This isn't supposed to be an alarmist email, but quite enlightening all
>> the
>> same.
>>
>> I saw a link to a plugin on the Drill mailing list called Dependency Check
>> Report so I wired it into my OODT repo amongst others to see what was
>> flagged up since the Struts fallout.
>>
>> Anyway, of course its unlikely but not out of the question to run OODT
>> fronting on to the interwebs so I think this is decent food for thought as
>> to why its useful to keep dependencies up to date as much as possible.
>>
>> Here's a selection of the output:
>>
>> https://www.dropbox.com/s/2ida8dk54yleedo/curator-webapp.html?dl=0
>> https://www.dropbox.com/s/wgt1facgjhqiqkq/fmbrowser.html?dl=0
>> https://www.dropbox.com/s/o8kqcaktplzjy4y/metadata.html?dl=0
>> https://www.dropbox.com/s/cli4pj4jc564f16/pge.html?dl=0
>>
>> Of course there is a bunch of repetition in there and plenty that aren't
>> over the top severe, some may also be false positives, but as we work
>> through to OODT 2.0 with the new stuff and chopping out the old stuff,
>> reducing these as much as possible I would posture.
>>
>> Tom
>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message