Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.7.3
Description
Remove dependency on org.mortbay.jasper:apache-el:jar:8.5.33 in Ambari Logsearch due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2019-0199
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-logsearch-server --- [INFO] org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0 [INFO] \- org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile [INFO] \- org.mortbay.jasper:apache-el:jar:8.5.33:compile [INFO] [INFO] ------------< org.apache.ambari:ambari-logsearch-assembly >------------- [INFO] Building Ambari Logsearch Assembly 2.7.3.0.0 [13/14] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-logsearch-assembly --- [INFO] org.apache.ambari:ambari-logsearch-assembly:jar:2.7.3.0.0 [INFO] \- org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0:compile [INFO] \- org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile [INFO] \- org.mortbay.jasper:apache-el:jar:8.5.33:compile [INFO] [INFO] ---------------< org.apache.ambari:ambari-logsearch-it >---------------- [INFO] Building Ambari Logsearch Integration Test 2.7.3.0.0 [14/14] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-logsearch-it --- [INFO] org.apache.ambari:ambari-logsearch-it:jar:2.7.3.0.0 [INFO] \- org.apache.ambari:ambari-logsearch-server:jar:2.7.3.0.0:compile [INFO] \- org.springframework.boot:spring-boot-starter-jetty:jar:2.0.6.RELEASE:compile [INFO] \- org.mortbay.jasper:apache-el:jar:8.5.33:compile
Recommendation is to remove the dependency or upgrade to version org.springframework.boot:spring-boot-starter-jetty:jar:2.0.9.RELEASE or the latest version, if possible.
