question on jetty version for security vulnerability

[Esteban Lartigue]

I work in an AEM site that uses ehcache2.10 as a dependency jar 

the issue is that our security team detected a vulnerability on their white hat report: CVE-2017-9735 in the next path related to jetty dependency.

ehcache-2.10.0.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml

ehcache-2.10.0.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml

ehcache-2.10.0.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml

ehcache-2.10.0.jar/rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml

Im  upgrading to ehcache 2.10.4 (latest) hoping for those vulnerabilities to go away.  but  I noticed that deliverable is (Apr 17, 2017) might not have latest jetty version with the vulnerability fixed. (those are in May 2017 and later)

question: is ehcache 2.10.5  in the horizon ?  or planning to update to latest version of jetty? 

-thanks

Esteban

[Henri Tremblay]

Hi,

Yes. We are aware of it.

It is related to the rest management API not to the core of Ehcache.

Nevertheless, these issues should be solved in the next version indeed. I don't have the date but it shouldn't be in a far future.

Henri

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-users+unsubscribe@googlegroups.com.
To post to this group, send email to ehcach...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/92ab79d2-8e1a-4d4a-8ebf-46b75107e8df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Esteban Lartigue]

thank you,   just wondering, is this issue away in org.ehcache 3.x  ?  

-Esteban

[Henri Tremblay]

It indeed doesn't exist in Ehcache 3.

Ehcache 3 currently has no known security vulnerability.

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-users+unsubscribe@googlegroups.com.
To post to this group, send email to ehcach...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/3c0c293a-88dc-4b58-825a-085b09e9df82%40googlegroups.com.

[Srinivas Allada]

Hi,

We have identified below 2 vulnerabilities identified with ehcache2 which is what we are using. 

org.eclipse.jetty_jetty-server version 8.1.9.v20130131

com.fasterxml.jackson.core_jackson-databind version 2.11.1

 is there any article released or do we know latest version ehcache3 free from these vulnerabilities and have any new ones?

Appreciate your help.

Srini