Jfrog recommends to upgrade log4j to 2.15 as permanent fix. Can I just replace with the latest log4j-api.jar file? or Does Jfrog release latest patch for this?
How can I completely fix the issue?
The best fix for this issue would be to upgrade your log4j dependencies to version 2.15.0, which resolved the issue in several layers and improved the overall security of log4j.
As an additional layer of protection, we also recommend setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable globally (see next section).
#Syed JFrog products are not affected by this vulnerability, as they are not using the log4j-core package. We can confirm that JFrog services are not affected by CVE-2021-44228.
JFrog Security has validated that JFrog Platform solutions themselves are not affected, as no products, including Artifactory version 6.x or 7.x using the log4j-core package. CVE-2021-44228 only affects ‘log4j-core’, which is not being used in Artifactory. Other packages such as log4j-over-slf4j, log4j-api and log4j-to-slf4j are unaffected.
Hence, there is no action required from users to upgrade this library.
Related
I am working with a node code, where I am using polyfill-service with the latest version 3.25.3 (https://www.npmjs.com/package/polyfill-service), it uses growl internally with the version 1.9.2
growl 1.9.2 has critical security vulnerability (https://security.snyk.io/package/npm/growl/1.9.2). Is it possible to upgrade internal dependencies in node to higher versions to mitigate any security vulnerabilities.
Q: Are there any alternatives to polyfill-service?
Thanks,
I tried upgrading the polyfill-service to the latest version, but it still is using growl 1.9.2 version interally which has critical security vulnerability.
At my company, I can't get NuGetToolInstaller task to work in Azure Builds. I think it is having trouble getting out passed the proxy so I just don't use the task and rely on a cached version of NuGet.exe. However, the problem is the cached version is an older version NuGet 4.1.0 and I have no idea how to update it.
I was able to trick it by going to the location of the NuGet.exe file in the 4.1.0 folder and overwriting it with NuGet 5.5.1 version. Seems kludgy to me.
My question:
What's the correct way to update the NuGet.exe in cache used by the build agent folder?
Bonus:
I have proxy credentials, how do I make the NuGetToolInstaller work?
As a workaround , after downloading NuGet 5.5.1 to your local, you can set the local path of nuget.exe into your path environment variable (Copy the location of nuget.exe > Navigate to Control Panel > System > Advanced System Settings > Environment Variables). Then when using self-hosted agent , you can directly call nuget command through cmd task in azure devops.
I have a maven web project(RESTful, Spring Rest/data) running in Java 8(tomcat 8.5.5) and using 'jackson-databind-2.9.8.jar'. When the Dependency Check Tool(Checks vulnerable jar version and generates report) is run against the libraries the project is using, it showed 'jackson-databind-2.9.8.jar' as Vulnerable(Reference- https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.9.8)
Problem:- Changing to 'jackson-databind-2.10.0.jar' version fixes OWASP security issue(running Dependency Check Tool) but, when project is build and run it throws error since 2.10.0 uses jdk9+ complaint classes(Reference- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)
What should be done to resolve the issue, can we make the project compile in Java 8 and run in JDK11(since JDK9 is out of support) or something else should be done? Please suggest.
Thanks in advance!
CVE-2019-12086 is fixed in jackson-databind-2.9.9.jar .
See the report: https://nvd.nist.gov/vuln/detail/CVE-2019-12086
Maven repo for 2.9.9 : https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9
Webjobs version 3 has been out since around September so I want to upgrade from 2.3.0 to the latest version, currently 3.0.4.
The Microsoft.Azure.Webjobs.servicebus package is, however, blocking me from doing so. I tried looking at webjobs sdk samples but they had the exact same issue with the servicebus package blocking the upgrade.
Questions
What is the correct way to upgrade the webjobs nuget package?
Am I mistaken that version 3 is ready for production yet?
At the time I'm writing this, the newest release version of Microsoft.Azure.WebJobs.ServiceBus is 2.3.0. Looking at the package on nuget.org and expanding the dependencies, I see this:
Microsoft.Azure.ServiceBus.EventProcessorHost (>= 2.2.10)
Microsoft.Azure.WebJobs (= 2.3.0)
Microsoft.Extensions.Logging.Abstractions (>= 1.1.1) Newtonsoft.Json
(>= 9.0.1) WindowsAzure.ServiceBus (>= 3.4.5)
Notice how the version number for the Microsoft.Azure.WebJobs dependency uses = and not >= like the other dependencies. Therefore, NuGet is being instructed to not allow different versions of the package.
There are some 3.0.0 beta packages you could try, which interestingly use >= for the WebJobs dependency, so you can use the latest "release" version of WebJobs package while using the ServiceBus beta package. Or, if you can migrate from packages.config to PackageReference, NuGet may allow you to use "incompatible" versions of packages with a warning, but if the package author is telling you that their package only works with a specific version of a dependency, there's an increased risk that you'll get runtime failures if you use a different version.
Looking at the package Microsoft.Azure.WebJobs.ServiceBus on nuget.org, it doesn't seem to be maintained:
The last release was on 29 Nov 2018 - over a year ago.
The last beta was on 30 Aug 2018, also over a year ago. Several betas, with no release following them.
This looks abandoned. Has the package been renamed? Or the functionality folded into a different package? Why is there no upgrade path guidance here?
The disparity between the dependencies of this package and others in use are starting to cause issues for us.
Requirement is to download software from Centos 5.4. When I do yum install , I get the latest version and not the one available for Centos 5.4.
How do I configure yum to download only from 5.4 repo?
As I said in my answer to your other question you need to find a repository that has a maintained, static entry for 5.4.
Most repositories have just one repository for each major version and upgrade it as new minor versions are released. But some keep specific repositories for each version independently (at least for a little while).
I would start with checking whether your current repository has an explicitly 5.4 repository (by using the URL in the yum.conf or /etc/yum.repos.d/*.repo file for the repository).
If that doesn't work out you get to try other mirrors as listed on the CentOS mirrors website.
As a fallback, and I encourage you to try to find a valid mirror first, you can find this sort of minor version specific repository on http://vault.centos.org.