Comments (7)
Hi @nanjiangshu I know it's unfortunate but there are indeed a number of security alerts on the Apollo codebase right now that are reported by security scanners. I reported a security scan here from the grype tool here
we took effort to remediate the log4j issue at the request of a user, but it took concerted effort, and it may be difficult to fix many of these issues because many of them come from the grails platform version that we use, and it is difficult to upgrade to the latest version of grails without changing a large amount of code
I don't have any specific recommendation for now but to be aware of this. we can leave this issue open, and if you would like to look into contributing any possible fixes, then we may be able to accept pull requests, though i know that is a big task
from apollo.
@cmdcolin Thanks for your quick reply and I understand you have a lot of similar issues to handle. We need to find a solution ourselves since the resource provider will shutdown all our deployed instances if the problem is not solved. Would it be possible we ask you some questions with the configuration of Apache Shiro in case we encounter problems?
from apollo.
certainly, let us know of any questions. there is some possibility the shiro could be upgraded to some patch version if that is the only one you need. see here for PR that updated the log4j version #2654
from apollo.
Hi @cmdcolin. Thanks for your tips. I tried to upgrade the Shiro version to 1.2.5 by changing the code at https://github.com/GMOD/Apollo/blob/develop/grails-app/conf/BuildConfig.groovy#L137. However, when building the Docker image, I received the following error.
| Error Resolve error obtaining dependencies: Could not find artifact org.grails.plugins:shiro:zip:1.2.5 in grailsCentral (https://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)
Is there a way to provide a URL to grails so that it can find shiro verion 1.2.5?
from apollo.
i'm not sure what exactly shiro 1.2.5 is, i see only "1.2.1" here but not sure if we even use that https://repo.grails.org/ui/packages/gav:%2F%2Forg.grails.plugins:shiro?name=shiro&type=packages
my scan from https://gist.github.com/cmdcolin/df8e92fe3e82fb2856b5c08d90bf4a32 indicated various shiro subpackages were in use
is it shiro-core or something like that? package list https://repo.grails.org/ui/packages?name=shiro&type=packages
i will also note, your security scan noted that disabling remember me could be another alternative. not sure if that's easier or harder
from apollo.
As you pointed out, it seems grails plugin does not provide shiro version higher than 1.2.1. Although at the MavenCentral many newer versions of shiro are provided https://mvnrepository.com/artifact/org.grails/grails-plugin-servlets. I don't know how much work it required to let the BuildConfig to use shiro-core from maven and I probably don't have the time either.
It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.
from apollo.
Hello @nanjiangshu,
It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.
Were you able to disable this option in Apollo to address the vulnerability? If so, could you briefly describe how or point to relevant docs? I haven't been able to find any guidance in my search.
Many thanks.
from apollo.
Related Issues (20)
- Apollo Search tab shows alignment and picture
- Unable to create combination tracks HOT 2
- log4j vulnerability: afaict we're safe? HOT 6
- imported annotations not populating annotations tab HOT 12
- Get gene sequence HOT 2
- CDS features not appearing when written via annotations._check_write HOT 1
- Upgrade to more modern versions of dependencies? HOT 3
- Add pop up to Fmin and Fmax radial button area in annotator panel
- How to install Apollo in Windows?
- [Feature request] Update owner info from web services
- Download all the manual curation history from Apollo? HOT 1
- new install error? HOT 2
- OpenID/Oath support HOT 1
- Web service calls for ShowStatus and Update status not working as expected HOT 1
- Request: Video Tutorial for configuring with H2 Apollo (and perhaps any of the other two too)
- Refactor to support Postgres greater than 11 HOT 3
- IT just sent us the latest vulnerability report. Two dependencies need updating. HOT 1
- load_gff3 miscalculates CDS HOT 4
- Range Error when adding BAM track HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apollo.