averma111 opened a new issue #9874: URL: https://github.com/apache/druid/issues/9874
Hi Team, I have deployed Druid 0.18 in GKE environment and my Dev Ops team has pointed below vulnerabilities with description. Package Name | Package Version | Fix Status | Version used in Application | Comment From Application Team | Description -- | -- | -- | -- | -- | -- com.fasterxml.jackson.core_jackson-databind | 2.4.0 | fixed in 2.9.10.4 | 2.10.2 | There is no direct reference to 2.4.0 version of jackson.core_jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). com.google.guava_guava | 11.0.2 | fixed in 24.1.1 | 11.0.2 & 16.0.1 | This is being analysed | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. io.netty_netty | 3.10.6.Final | fixed in 4.1.44 | 3.10.6.Final | Suggested version 4.1.44 is not compatible with Druid appliation code, and replacing the jar fails application with NoClassFound' Error. | HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\" Could you please help me how to justify them. I have already given the description from my side. But if any committer or contributor pitch in might be helpful Thanks, Ashish ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
