组件漏洞 #732

gitYupan · 2023-09-25T01:51:31Z

Describe the question or bug

以下组件有漏洞，被打包到sofa-ark-all-2.2.1.jar/lib/ 中，业务无法指定pom版本来进行升级
Guava-30.1-jre：CVE-2023-2976 -高危
Netty Handler-4.1.90.Final：CVE-2023-34462 -中危

Environment

SOFAArk version:2.2.1
JVM version (e.g. java -version):1.8
OS version (e.g. uname -a):Linux

The text was updated successfully, but these errors were encountered:

lvjing2 · 2023-09-25T01:57:39Z

你好，能详细解释下业务为何无法指定版本吗？

gitYupan · 2023-09-25T02:44:19Z

上传到maven中央仓库的sofa-ark-all-2.2.1.jar将guava、netty等依赖打包到了sofa-ark-all-2.2.1.jar/lib/中

gitYupan · 2023-09-25T02:47:16Z

报告图如下：

lvjing2 · 2023-09-25T02:55:38Z

OK, 了解了，是 sofaArk compile 依赖了这几个依赖引入导致的。

sofastack#732

lvjing2 added the good first issue Good for newcomers label Sep 25, 2023

vcjmhg pushed a commit to vcjmhg/sofa-ark that referenced this issue Oct 21, 2023

fix:Fix guava and netty jar package vulnerabilities

2efaf9f

sofastack#732

vcjmhg mentioned this issue Oct 21, 2023

fix:Fix guava and netty jar package vulnerabilities #755

Closed

lvjing2 mentioned this issue Oct 24, 2023

fix: zip slip bug. #746

Closed

This was referenced Nov 24, 2023

update guava or netty #788

Merged

2023-11-28 双周会内容 sofastack/sofa-serverless#335

Closed

lvjing2 closed this as completed in #788 Nov 28, 2023

lvjing2 mentioned this issue Dec 8, 2023

2023-12-12 双周会内容 sofastack/sofa-serverless#387

Closed

36 tasks

lvjing2 mentioned this issue Dec 25, 2023

2023-12-26 双周会内容 sofastack/sofa-serverless#415

Closed

15 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

组件漏洞 #732

组件漏洞 #732

gitYupan commented Sep 25, 2023

lvjing2 commented Sep 25, 2023

gitYupan commented Sep 25, 2023

gitYupan commented Sep 25, 2023

lvjing2 commented Sep 25, 2023

组件漏洞 #732

组件漏洞 #732

Comments

gitYupan commented Sep 25, 2023

Describe the question or bug

Environment

lvjing2 commented Sep 25, 2023

gitYupan commented Sep 25, 2023

gitYupan commented Sep 25, 2023

lvjing2 commented Sep 25, 2023