[jira] [Commented] (AVRO-3111) Update Hadoop versions to prevent false-positive security reports

Thu, 07 Oct 2021 07:45:05 -0700 


    [ 
https://issues.apache.org/jira/browse/AVRO-3111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17425610#comment-17425610
 ] 

Andrew May commented on AVRO-3111:
----------------------------------

The NIST NVD database has marked Avro 1.10.1 & 1.10.2 as vulnerable to 
CVE-2019-17195 (possibly as a result of this Jira issue being raised)
[https://nvd.nist.gov/vuln/detail/CVE-2019-17195]
Which has the following CPEs as 'affected software configurations'
*cpe:2.3:a:apache:avro:1.10.1:*:*:*:*:*:*:**
*cpe:2.3:a:apache:avro:1.10.2:*:*:*:*:*:*:**


My reading of the above comments & the original issue is that the transitive 
Avro-Tools->Hadoop->Nimbus dependency is not from the 'avro' artifact, but is 
only from the 'avro-tools' artifact.
i.e. the cpe's in the NVD database are incorrect.

Can anyone confirm that this is correct? (so that we can try to get NVD updated 
to avoid false positives for projects that can't update their avro version yet).

> Update Hadoop versions to prevent false-positive security reports
> -----------------------------------------------------------------
>
>                 Key: AVRO-3111
>                 URL: https://issues.apache.org/jira/browse/AVRO-3111
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.10.1, 1.10.2
>         Environment: Docker image built on library/buildpack-deps:buster-curl 
> ([buildpack-deps (docker.com)|https://hub.docker.com/_/buildpack-deps])
>            Reporter: David L. Day
>            Assignee: Ismaël Mejía
>            Priority: Major
>             Fix For: 1.11.0
>
>
> When installing avro-tools in a container on a debian image, my company's 
> image scanner reports CVE-2019-17195:
> _Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions 
> while parsing a JWT, which could result in an application crash (potential 
> information disclosure) or a potential authentication bypass._
> I see other Apache projects have had this CVE reported and have been fixed, 
> but did not see where this was reported for Apache Avro Tools specifically.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to