ML Java Client v2.0.5 - CVE vulnerability (CVE-2014-3577)

[davidbcollins]

A known vulnerability exists in a dependency: CVE-2014-3577.

It is in jersey-apache-client4-1.17.jar.

[sammefford]

Fixed by commit 7a598ca

[sammefford]

That is, my understanding is that the vulnerability is actually in Apache HTTP Client 4.1.1. That commit upgrades from 4.1.1 to 4.5.3, thus overcoming the vulnerability. As long as regression tests are passing, we can deploy this change with version 4.0.2. Soon thereafter, however, the plan is to completely remove Jersey and Apache HttpClient ( #65 ).

[georgeajit]

No regressions due to HttpClient ver 4.5.3. Verified on 05/04/2017 regression run status. Also ran tests locally on Windows laptop with ML Server build 10.0-20170504 and develop branch.

[ammy1999]

Hello,
A regression in jersey-apache-client4-1.19.4.jar , it is a vulnerability CVE-2006-0550
what should I do to remove it !!

[sammefford]

@ammy1999 What do you mean a regression? Why are you using jersey-apache-client4-1.19.4.jar?

Have you tried using the latest java-client-api? It has Jersey completely removed.

[ammy1999]

jersey-apache-client4-1.19.4.jar a child of spring-cloud-starter-ribbon , then jersey is automatically generated but it is a high vulnerability of dependancy check , so How can I remove this dependency or remplace it ?? help please

[sammefford]

@ammy1999 please forgive my inability to understand. If you need help with a dependency of spring-cloud-starter-ribbon, shouldn't you contact them? That's not something we use or support...

[ammy1999]

ok @sammefford thank you