Comments (11)
NeelabhKher
commented on July 17, 2024
@mbiarnes any guidance is highly appreciated
from business-central.
mbiarnes
commented on July 17, 2024
@NeelabhKher All deps are coming from wars. These wars (with deps) are downloaded from kiegroups/ to create the docker images.
We are supervising the used versions by different applications. Some dependencies can't be updated like this by different reasons.
Please wait until we have the new version 7.55.0.Final.
from business-central.
mpsz76
commented on July 17, 2024
This impacts us still 7.55.0 version and being flagged by X-Ray Vulnerability Scanning.
from business-central.
NeelabhKher
commented on July 17, 2024
Does it even impact the 7.56 version ?
from business-central.
mpsz76
commented on July 17, 2024
Yes still impacts the 7.56 version. I'm thinking it's something with the current Wildfly version used.
from business-central.
NeelabhKher
commented on July 17, 2024
thanks for information
from business-central.
NeelabhKher
commented on July 17, 2024
Any update on this one ?
from business-central.
mbiarnes
commented on July 17, 2024
@NeelabhKher HI - I would scan again. Because I think many version have been updated in the meantime.
from business-central.
mpsz76
commented on July 17, 2024
In my use case, this is getting scanned against JFrog X-Ray vulnerability scanning. Here are the critical issues that pop up.
CVE-2016-2141 Critical | CVE-2016-2141 | org.jgroups:jgroups:3.3.4.Final
CVE-2018-1000134 | com.unboundid:unboundid-ldapsdk:3.2.0
CVE-2017-12629 | org.apache.lucene:lucene-queryparser / 6.6.1
CVSS V3: 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Lxml unspecified encoded path traversal remote file write |
CVE-2017-1000158 | Cpython (aka python) up to 2.7.13 is vulnerable to an integer overflow
CVE-2017-7465 | xalan | It was found that the jaxp implementation used in jboss eap 7.0 for xslt processing is vulnerable to code injection
CVSS V3: 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| io.fabric8:kubernetes-client | Fabric8 kubernetes-client contains a flaw that allows traversing outside of a restricted path. the issue is due to the podoperationsimpl::copydir() function in
This was ran on version 7.62 on the image available from Quay
from business-central.
mbiarnes
commented on July 17, 2024
@NeelabhKher @mpsz76 Hi, would be nice if you guys can advise which versions have no vulnerability.
i.e. com.unboundid:unboundid-ldapsdk:3.2.0 -- com.unboundid:unboundid-ldapsdk:???
There are some dependencies coming from EAP7 - this we can't change.
from business-central.
mpsz76
commented on July 17, 2024
In my situation, the company did not scan intranet applications until January 2021. Currently, on 7.37 which was not scanned. The first scan was on 7.54 which has the same vulnerabilities as listed above.
from business-central.
Related Issues (20)
- docker-compose and MySQL HOT 2
- Support Java 17
- How to use custom workitem handlers HOT 1
- Unable to pull business-central showcase docker image from the registry HOT 1
- Log4j vulnerability HOT 3
- Does jbpm-server-full support High Availability ? HOT 7
- Kubernetes HOT 2
- Users and groups gets deleted after taking down docker compose container HOT 4
- Installing 7.61 and later fails on AWS Fargate HOT 4
- Twistlock Scan issues with wildfly 23.0.0 & 24.0.1
- Readme.md - The link not work HOT 1
- Login failed: Not Authorized
- kie-server try to requesting the https://repository.jboss.org:443 server while creating container HOT 7
- is it possible to add a project and space on startup by editing the dockerfile ? HOT 2
- hi, team, are we planing to bump up versions? HOT 1
- Is it possible to build and deploy my project as part of the dockerfile? HOT 1
- Building server under Docker for Windows
- The jbpm-full-mysql example fails to integrate with MySql HOT 1
- ARM compatible Docker image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from business-central.