Date
1 - 4 of 4
security vulnerability: janusgraph-full-1.0.0-rc1: in ./lib ( netty-all.4.1.58.Final) as well as ./lib/gremlin-console-3.6.1.jar & gremlin-driver.3.6.1.jar (netty-all.4.1.77.Final)
hadoopmarc@...
Hi Yingjie,
Still not clear to me.
Marc
toggle quoted message
Show quoted text
Still not clear to me.
- what do you mean with "they embed netty-all.4.1.77.Final.jar"? The gremlin jars only contain the code from Tinkerpop, no netty bytecode.
- the Cassandra lib directory need not be used, it is only included to run a local Cassandra instance for the bin/janusgraph.sh script. So, you can simply remove the cassandra directory and still use gremlin-console.
Marc
On Wed, Jan 25, 2023 at 01:16 PM, Yingjie Li wrote:
they
embed netty-all.4.1.77.Final.jar
Yingjie Li
Hello Marc,
Yes, they are in the ./lib directory of janusgraph-1.0.0-rc1 and they
embed netty-all.4.1.77.Final.jar, whose CVEs can be found in
https://mvnrepository.com/artifact/io.netty/netty-all/4.1.77.Final)
the latest version is 4.1.87. ./lib/ directory also comes with
netty.4.1.58.jar.Final,
Actually the all in one package janusgraph-full-1.0.0-rc1 that comes
with Cassandra 4.0.6, the netty-all version in both Janusgraph lib and
Cassandra lib is 4.1.58.jar , which has higher security risk of
CVSS 8.4 (sonatype-2021-0789). I was able to successfully replace the
one in Janusgraph lib with the latest 4.1.87 version. But replacing
the one in Cassandra lib throwed an exception and failed to start.
I also checked the latest Cassandra (4.1.0) and it still has the old
version jar (4.1.58). Just wondering whether anybody has some
experience in replacing this jar with the higher version in
Cassandra or gremlin console & driver 3.61.
Also any pointers to other user groups that might be able to help is
appreciated.
Thanks,
Yingjie
toggle quoted message
Show quoted text
Yes, they are in the ./lib directory of janusgraph-1.0.0-rc1 and they
embed netty-all.4.1.77.Final.jar, whose CVEs can be found in
https://mvnrepository.com/artifact/io.netty/netty-all/4.1.77.Final)
the latest version is 4.1.87. ./lib/ directory also comes with
netty.4.1.58.jar.Final,
Actually the all in one package janusgraph-full-1.0.0-rc1 that comes
with Cassandra 4.0.6, the netty-all version in both Janusgraph lib and
Cassandra lib is 4.1.58.jar , which has higher security risk of
CVSS 8.4 (sonatype-2021-0789). I was able to successfully replace the
one in Janusgraph lib with the latest 4.1.87 version. But replacing
the one in Cassandra lib throwed an exception and failed to start.
I also checked the latest Cassandra (4.1.0) and it still has the old
version jar (4.1.58). Just wondering whether anybody has some
experience in replacing this jar with the higher version in
Cassandra or gremlin console & driver 3.61.
Also any pointers to other user groups that might be able to help is
appreciated.
Thanks,
Yingjie
On Wed, Jan 25, 2023 at 2:06 AM <hadoopmarc@...> wrote:
Hi Yingjie,
Sorry, I do not understand. The gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar are part of janusgraph-1.0.0-rc1.
Marc
Yingjie Li
Hello all,
There is high security vulnerability due netty-all jars in janusgraph-full-1.0.0-rc1 that we'd like upgrade to vesion > 4.1.82.Final. For ./lib/netty-all-4.1.58.Final.jar, I have directly replace it with the latest version netty-all-4.1.87.Final.jar and it seems all good for my use. Any pointers of where to get the upgraded versions for the embedded gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar ?
Thanks,
Yingjie
There is high security vulnerability due netty-all jars in janusgraph-full-1.0.0-rc1 that we'd like upgrade to vesion > 4.1.82.Final. For ./lib/netty-all-4.1.58.Final.jar, I have directly replace it with the latest version netty-all-4.1.87.Final.jar and it seems all good for my use. Any pointers of where to get the upgraded versions for the embedded gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar ?
Thanks,
Yingjie