janusgraph-users@lists.lfaidata.foundation | security vulnerability: janusgraph-full-1.0.0-rc1: in ./lib ( netty-all.4.1.58.Final) as well as ./lib/gremlin-console-3.6.1.jar & gremlin-driver.3.6.1.jar (netty-all.4.1.77.Final)

Home Messages Hashtags Subgroups Calendar

Date Date 1 - 4 of 4

security vulnerability: janusgraph-full-1.0.0-rc1: in ./lib ( netty-all.4.1.58.Final) as well as ./lib/gremlin-console-3.6.1.jar & gremlin-driver.3.6.1.jar (netty-all.4.1.77.Final)

Yingjie Li #6679 Hello all, There is high security vulnerability due netty-all jars in janusgraph-full-1.0.0-rc1 that we'd like upgrade to vesion > 4.1.82.Final. For ./lib/netty-all-4.1.58.Final.jar, I have directly replace it with the latest version netty-all-4.1.87.Final.jar and it seems all good for my use. Any pointers of where to get the upgraded versions for the embedded gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar ? Thanks, Yingjie
More All Messages By This Member
hadoopmarc@... #6680 Hi Yingjie, Sorry, I do not understand. The gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar are part of janusgraph-1.0.0-rc1. Marc
More All Messages By This Member
Yingjie Li #6681 Hello Marc, Yes, they are in the ./lib directory of janusgraph-1.0.0-rc1 and they embed netty-all.4.1.77.Final.jar, whose CVEs can be found in https://mvnrepository.com/artifact/io.netty/netty-all/4.1.77.Final) the latest version is 4.1.87. ./lib/ directory also comes with netty.4.1.58.jar.Final, Actually the all in one package janusgraph-full-1.0.0-rc1 that comes with Cassandra 4.0.6, the netty-all version in both Janusgraph lib and Cassandra lib is 4.1.58.jar , which has higher security risk of CVSS 8.4 (sonatype-2021-0789). I was able to successfully replace the one in Janusgraph lib with the latest 4.1.87 version. But replacing the one in Cassandra lib throwed an exception and failed to start. I also checked the latest Cassandra (4.1.0) and it still has the old version jar (4.1.58). Just wondering whether anybody has some experience in replacing this jar with the higher version in Cassandra or gremlin console & driver 3.61. Also any pointers to other user groups that might be able to help is appreciated. Thanks, Yingjie toggle quoted message Show quoted text On Wed, Jan 25, 2023 at 2:06 AM <hadoopmarc@...> wrote: Hi Yingjie, Sorry, I do not understand. The gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar are part of janusgraph-1.0.0-rc1. Marc
More All Messages By This Member
hadoopmarc@... #6682 Hi Yingjie, Still not clear to me. what do you mean with "they embed netty-all.4.1.77.Final.jar"? The gremlin jars only contain the code from Tinkerpop, no netty bytecode. the Cassandra lib directory need not be used, it is only included to run a local Cassandra instance for the bin/janusgraph.sh script. So, you can simply remove the cassandra directory and still use gremlin-console. Also note that there is a separate thread for feedback on janusgraph-1.0.0-rc1, but it is OK to have the current discussion here to find out what the actual issue is. Marc toggle quoted message Show quoted text On Wed, Jan 25, 2023 at 01:16 PM, Yingjie Li wrote: they embed netty-all.4.1.77.Final.jar
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Calendar Terms