Bug 63090 - Remove slf4j-ext due to CVE-2018-8088
Summary: Remove slf4j-ext due to CVE-2018-8088
Status: RESOLVED FIXED
Alias: None
Product: JMeter
Classification: Unclassified
Component: Main (show other bugs)
Version: 5.0
Hardware: All All
: P2 normal (vote)
Target Milestone: JMETER_5.1
Assignee: JMeter issues mailing list
URL:
Keywords: FixedInTrunk
: 63175 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-01-18 13:37 UTC by jawadhoot
Modified: 2019-02-14 17:57 UTC (History)
2 users (show)



Attachments
issues reported by jfrog xray (27.78 KB, text/plain)
2019-01-18 13:37 UTC, jawadhoot
Details

Note You need to log in before you can comment on or make changes to this bug.
Description jawadhoot 2019-01-18 13:37:53 UTC
Created attachment 36379 [details]
issues reported by jfrog xray

i am using jmeter to load test application.
my organization did a jfrog xray scan on docker image i build to test and it reported 21 critical securities issues with libaries used inside jmeter

following issues are reported

xercesImpl-2.11.0.jar
commons-collections-3.2.2.jar
geronimo-jms_1.1_spec-1.1.1.jar 
slf4j-ext-1.7.25.jar -> 18
Comment 1 Philippe Mouawad 2019-01-19 13:14:12 UTC
(In reply to jawadhoot from comment #0)
> Created attachment 36379 [details]
> issues reported by jfrog xray
> 
> i am using jmeter to load test application.
> my organization did a jfrog xray scan on docker image i build to test and it
> reported 21 critical securities issues with libaries used inside jmeter
> 
> following issues are reported
> 
> xercesImpl-2.11.0.jar
Upgraded already in nightly build, will be in 5.1
> commons-collections-3.2.2.jar
What is the security issue ? 
We are not aware of security issues

> geronimo-jms_1.1_spec-1.1.1.jar 

This is the jar of JMS specification not geronimo version.
What is the CVE concerned

> slf4j-ext-1.7.25.jar -> 18

What is the CVE ? 
We are not aware of security issue neither
Comment 2 jawadhoot 2019-01-22 09:52:50 UTC
for other jars we are raising issues with jfrog xray


>> slf4j-ext-1.7.25.jar

>What is the CVE ? 
>We are not aware of security issue neither

CVE-2018-8088
Comment 3 Philippe Mouawad 2019-01-25 18:04:29 UTC
Author: pmouawad
Date: Fri Jan 25 18:03:56 2019
New Revision: 1852156

URL: http://svn.apache.org/viewvc?rev=1852156&view=rev
Log:
Bug 63090 - Remove slf4j-ext due to CVE-2018-8088
Bugzilla Id: 63090

Modified:
    jmeter/trunk/LICENSE
    jmeter/trunk/build.properties
    jmeter/trunk/build.xml
    jmeter/trunk/eclipse.classpath
    jmeter/trunk/lib/   (props changed)
    jmeter/trunk/lib/aareadme.txt
    jmeter/trunk/res/maven/ApacheJMeter_parent.pom
    jmeter/trunk/xdocs/changes.xml
Comment 4 Felix Schumacher 2019-02-14 17:57:17 UTC
*** Bug 63175 has been marked as a duplicate of this bug. ***