[FOLIO-3931] mod-remote-sync: ehcache 2 End of Life Created: 30/Nov/23  Updated: 11/Jan/24

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: Ian Ibbotson (Use this one)
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines SECURITY-45 CVE-2023-36478 jetty-io Analysis of v... Completed
Relates
relates to SECURITY-42 CVE-2022-2048 jetty-io Analysis of vu... Completed
Sprint:
Development Team: K-Int
RCA Group: Related dependency upgrade

 Description   

Overview:

mod-remote-sync uses ecache 2 that is out of support.

Steps to Reproduce:

  1. mod-remote-sync has ehcache:2.10.9.2 dependency: https://github.com/folio-org/mod-remote-sync/blob/95ff534ca841e676bfa72d61439c3542cd5f3243/service/build.gradle#L160
  2. ehcache 2 has reached it's end of life: https://github.com/ehcache/ehcache2#ehcache-2x-community--foss-edition-has-reached-end-of-life

Expected Results:

No ehcache dependency if mod-remote-sync doesn't need ehcache, or ehcache 3 dependency.

Actual Results:

ehcache 2 dependency.

Additional Information:

The latest ehcache 2 version comes with a relocated jetty-io dependency that has a known vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-36478



 Comments   
Comment by Ann-Marie Breaux (Inactive) [ 01/Dec/23 ]

Hi Julian Ladisch and Ian Ibbotson (Use this one) Which dev team should this bug be assigned to? Thank you!

Generated at Thu Feb 08 23:31:50 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.