Bug 63090

Summary: Remove slf4j-ext due to CVE-2018-8088
Product: JMeter Reporter: jawadhoot
Component: MainAssignee: JMeter issues mailing list <issues>
Status: RESOLVED FIXED    
Severity: normal CC: p.mouawad, stefan
Priority: P2 Keywords: FixedInTrunk
Version: 5.0   
Target Milestone: JMETER_5.1   
Hardware: All   
OS: All   
Attachments: issues reported by jfrog xray

Description jawadhoot 2019-01-18 13:37:53 UTC
Created attachment 36379 [details]
issues reported by jfrog xray

i am using jmeter to load test application.
my organization did a jfrog xray scan on docker image i build to test and it reported 21 critical securities issues with libaries used inside jmeter

following issues are reported

xercesImpl-2.11.0.jar
commons-collections-3.2.2.jar
geronimo-jms_1.1_spec-1.1.1.jar 
slf4j-ext-1.7.25.jar -> 18
Comment 1 Philippe Mouawad 2019-01-19 13:14:12 UTC
(In reply to jawadhoot from comment #0)
> Created attachment 36379 [details]
> issues reported by jfrog xray
> 
> i am using jmeter to load test application.
> my organization did a jfrog xray scan on docker image i build to test and it
> reported 21 critical securities issues with libaries used inside jmeter
> 
> following issues are reported
> 
> xercesImpl-2.11.0.jar
Upgraded already in nightly build, will be in 5.1
> commons-collections-3.2.2.jar
What is the security issue ? 
We are not aware of security issues

> geronimo-jms_1.1_spec-1.1.1.jar 

This is the jar of JMS specification not geronimo version.
What is the CVE concerned

> slf4j-ext-1.7.25.jar -> 18

What is the CVE ? 
We are not aware of security issue neither
Comment 2 jawadhoot 2019-01-22 09:52:50 UTC
for other jars we are raising issues with jfrog xray


>> slf4j-ext-1.7.25.jar

>What is the CVE ? 
>We are not aware of security issue neither

CVE-2018-8088
Comment 3 Philippe Mouawad 2019-01-25 18:04:29 UTC
Author: pmouawad
Date: Fri Jan 25 18:03:56 2019
New Revision: 1852156

URL: http://svn.apache.org/viewvc?rev=1852156&view=rev
Log:
Bug 63090 - Remove slf4j-ext due to CVE-2018-8088
Bugzilla Id: 63090

Modified:
    jmeter/trunk/LICENSE
    jmeter/trunk/build.properties
    jmeter/trunk/build.xml
    jmeter/trunk/eclipse.classpath
    jmeter/trunk/lib/   (props changed)
    jmeter/trunk/lib/aareadme.txt
    jmeter/trunk/res/maven/ApacheJMeter_parent.pom
    jmeter/trunk/xdocs/changes.xml
Comment 4 Felix Schumacher 2019-02-14 17:57:17 UTC
*** Bug 63175 has been marked as a duplicate of this bug. ***