ostinru commented on issue #1805:
URL: https://github.com/apache/cloudberry/issues/1805#issuecomment-4621944547

   Hi, @NadeemRajput-sys ! We are doing our best to keep cloudberry-pxf secure.
   
   
   > Spring Boot 2.5.12
   
   It seems that you are using cloudberry-pxf as it was firstly released to 
opensource. Let's call it cloudberry-pxf 2.0.
   We have updated spring-boot to 2.7.18 during cloudberry-pxf 2.1 release. You 
can update your cloudberry-pxf version to 2.1. It should be compatible.
   
   However, vulnerability scanners will complain about spring-boot 
vulnerabilities: VMWare provides security patches only in Enterprise Support, 
that we don't have.
   
   ---
   
   Then we should think about security model:
   * Hackers can attack HTTP-endpoints (Spring Boot here!)
   * Hackers can attack us by placing malicious files on S3 / HDFS / external 
storage
   
   Keeping this in mind, we can mitigate issues:
   * Allow only localhost access to PXF (use firewall or listen only on 
localhost).
   * Use fresh and secure libraries that decodes / parses external sources.
   
   As a result of this 2 actions, we do not expose vulnerable Spring libraries 
for attacker.
   
   Moreover we still following VMWare changelog and updating 3rd party 
libraries (e.g. Tomcat like VMWare did in 
https://enterprise.spring.io/projects/spring-boot/2.7.21 ). However Spring 
Framework cannot be updated (your security scanner will point this out).
   
   Final notes:
   It is clear for the team, that we should update spring-boot to 3.5.x or 
4.0.x. However it will force our users updating to Java 17. This is breaking 
change, that we would like to do in a major cloudberry-pxf 3.0.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to