CVE vulnerabilities during scan of RoR plugin
esmierciakSR opened this issue · comments
CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
In our use of the RoR plugin, our scanning of the plugin when part of a Docker image detected the following CVE vulnerabilities:
HI @esmierciakSR what version of ES did you scan? You know, netty and jackson are ES dependencies and we cannot do much with it
This was ES 7.9.1, packaged with the corresponding RoR for 7.9.1
The fix for most of the vulnerabilities would be to upgrade netty and jackson libraries to their latest version. For instance the latest version of jackson is 2.11.2 I think.
ok, seems that we can upgrade some of netty and jackson dependencies. Will let you know when it's done
Just checking in on this. Any prediction as to when there will be a release of RoR that includes these dependency updates?
@esmierciakSR it is going to be a part of ROR 1.25.0. We release once a month. Next release will be in November. But when it's ready, I'll send you a pre-build of 1.25.0 to test.
@esmierciakSR it is going to be a part of ROR 1.25.0. We release once a month. Next release will be in November. But when it's ready, I'll send you a pre-build of 1.25.0 to test.
Thanks for the update. Look forward to it.
@esmierciakSR could you please try this pre-version or ROR?
same issue reported here: https://forum.readonlyrest.com/t/update-of-jackson-databind-2-9-6-jar/1728/3
and confirmed that it's fixed.