ostinru commented on issue #1805: URL: https://github.com/apache/cloudberry/issues/1805#issuecomment-4621944547
Hi, @NadeemRajput-sys ! We are doing our best to keep cloudberry-pxf secure. > Spring Boot 2.5.12 It seems that you are using cloudberry-pxf as it was firstly released to opensource. Let's call it cloudberry-pxf 2.0. We have updated spring-boot to 2.7.18 during cloudberry-pxf 2.1 release. You can update your cloudberry-pxf version to 2.1. It should be compatible. However, vulnerability scanners will complain about spring-boot vulnerabilities: VMWare provides security patches only in Enterprise Support, that we don't have. --- Then we should think about security model: * Hackers can attack HTTP-endpoints (Spring Boot here!) * Hackers can attack us by placing malicious files on S3 / HDFS / external storage Keeping this in mind, we can mitigate issues: * Allow only localhost access to PXF (use firewall or listen only on localhost). * Use fresh and secure libraries that decodes / parses external sources. As a result of this 2 actions, we do not expose vulnerable Spring libraries for attacker. Moreover we still following VMWare changelog and updating 3rd party libraries (e.g. Tomcat like VMWare did in https://enterprise.spring.io/projects/spring-boot/2.7.21 ). However Spring Framework cannot be updated (your security scanner will point this out). Final notes: It is clear for the team, that we should update spring-boot to 3.5.x or 4.0.x. However it will force our users updating to Java 17. This is breaking change, that we would like to do in a major cloudberry-pxf 3.0. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
