[jira] [Comment Edited] (OMID-252) Analyse and fix possible vulnerabilities for 1.1.1 release

Nihal Jain (Jira) Fri, 20 Oct 2023 09:55:10 -0700


    [ 
https://issues.apache.org/jira/browse/OMID-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17777860#comment-17777860
 ]


Nihal Jain edited comment on OMID-252 at 10/20/23 4:54 PM:
-----------------------------------------------------------

Scanned \*\*/target/\*.tar.gz for phoenix-omid built using command mvn clean 
install -Dhbase.version=2.5.5-hadoop3.

 

Using our internal tool following CVEs were detected:
|*THREAT*|*SECURITY ISSUE*|*CVSS SCORE*|*COMPONENT*|
|10|CVE-2017-7525|9.8|org.codehaus.jackson : jackson-mapper-asl : 1.9.13|
|10|CVE-2019-10172|7.5|org.codehaus.jackson : jackson-mapper-asl : 1.9.13|
|9|CVE-2022-25168|9.8|org.apache.hadoop : hadoop-common : 3.1.4|
|9|CVE-2022-26612|9.8|org.apache.hadoop : hadoop-common : 3.1.4|
|9|sonatype-2018-0624|9.8|com.fasterxml.woodstox : woodstox-core : 5.0.3|
|9|CVE-2023-44981|9.1|org.apache.zookeeper : zookeeper : 3.5.7|
|8|sonatype-2020-0348|8.5|com.fasterxml.jackson.core : jackson-databind : 
2.9.10.4|
|8|sonatype-2020-0436|8.5|com.fasterxml.jackson.core : jackson-databind : 
2.9.10.4|
|8|sonatype-2022-5820|8.2|org.apache.hadoop : hadoop-common : 3.1.4|
|8|CVE-2020-14060|8.1|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2020-14061|8.1|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2020-25649|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2020-36518|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2021-35515|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2021-35516|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2021-35517|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2021-36090|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2022-3509|7.5|com.google.protobuf : protobuf-java : 2.5.0|
|8|CVE-2022-40152|7.5|com.fasterxml.woodstox : woodstox-core : 5.0.3|
|8|CVE-2022-42003|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2022-42004|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2023-34454|7.5|org.xerial.snappy : snappy-java : 1.0.5|
|8|CVE-2023-34455|7.5|org.xerial.snappy : snappy-java : 1.0.5|
|8|CVE-2023-39410|7.5|org.apache.avro : avro : 1.7.7|
|8|sonatype-2017-0359|7.5|org.apache.httpcomponents : httpclient : 4.5.2|
|8|sonatype-2021-1694|7.5|com.google.code.gson : gson : 2.2.4|
|8|sonatype-2022-6438|7.5|com.fasterxml.jackson.core : jackson-core : 2.9.10|
|7|CVE-2021-37533|6.5|commons-net : commons-net : 3.6|
|7|CVE-2023-34462|6.5|io.netty : netty-handler : 4.1.86.Final|
|7|sonatype-2020-0026|6.5|io.netty : netty-handler : 4.1.86.Final|
|7|sonatype-2020-0244|5.9|org.jruby.joni : joni : 2.1.31|
|7|CVE-2021-22569|5.5|com.google.protobuf : protobuf-java : 2.5.0|
|7|CVE-2020-13956|5.3|org.apache.httpcomponents : httpclient : 4.5.2|
|7|sonatype-2021-4954|5.3|org.apache.commons : commons-compress : 1.19|

Also ran OWASP locally, which gave similar results.

 

As can be seen, most of the CVEs are coming via either hadoop/hbase/zk and will 
depend on which version is used to compile. For my case I sticked to codebase 
default for hadoop and ZK along with hbase.version=2.5.5-hadoop3.

Only netty-all is a direct dependency having CVE. Will create a subtask to fix 
it.

Also will create another one to bump phoenix-thirdparty, once released as 
com.google.guava:guava:31.0.1-android has 
[https://nvd.nist.gov/vuln/detail/CVE-2023-2976].

Also bouncycastle is having a CVE but it is not packaged and is a test 
dependency, so should be good to have.

Also will create sub task to bump other dependencies to latest.
|*Property*|*From*|*To*|
|hbase.version|2.4.13|2.4.17|
|log4j2.version|2.18.0|2.21.0|
|junit.version|4.13.1|4.13.2|
|guava.version|32.1.1-jre|32.1.3-jre|
|commons-lang3.version|3.12.0|3.13.0|
|google.findbugs.version|3.0.1|3.0.2|

Also identified a bunch of really old jars being used in the code base, like 
ones used for maven plugins, mockito, commons-* etc., which do not cause any 
security issues as such. Will work and fix those in coming days, but will keep 
it outside the scope of this ticket to avoid blocking any releases.

Let me know if this plan sounds good. 

CC: [~stoty] [~rajeshbabu] [~vjasani] 


was (Author: nihaljain.cs):
Scanned \*\*/target/\*.tar.gz for phoenix-omid built using command mvn clean 
install -Dhbase.version=2.5.5-hadoop3.

 

Using our internal tool following CVEs were detected:
|*THREAT*|*SECURITY ISSUE*|*CVSS SCORE*|*COMPONENT*|
|10|CVE-2017-7525|9.8|org.codehaus.jackson : jackson-mapper-asl : 1.9.13|
|10|CVE-2019-10172|7.5|org.codehaus.jackson : jackson-mapper-asl : 1.9.13|
|9|CVE-2022-25168|9.8|org.apache.hadoop : hadoop-common : 3.1.4|
|9|CVE-2022-26612|9.8|org.apache.hadoop : hadoop-common : 3.1.4|
|9|sonatype-2018-0624|9.8|com.fasterxml.woodstox : woodstox-core : 5.0.3|
|9|CVE-2023-44981|9.1|org.apache.zookeeper : zookeeper : 3.5.7|
|8|sonatype-2020-0348|8.5|com.fasterxml.jackson.core : jackson-databind : 
2.9.10.4|
|8|sonatype-2020-0436|8.5|com.fasterxml.jackson.core : jackson-databind : 
2.9.10.4|
|8|sonatype-2022-5820|8.2|org.apache.hadoop : hadoop-common : 3.1.4|
|8|CVE-2020-14060|8.1|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2020-14061|8.1|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2020-25649|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2020-36518|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2021-35515|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2021-35516|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2021-35517|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2021-36090|7.5|org.apache.commons : commons-compress : 1.19|
|8|CVE-2022-3509|7.5|com.google.protobuf : protobuf-java : 2.5.0|
|8|CVE-2022-40152|7.5|com.fasterxml.woodstox : woodstox-core : 5.0.3|
|8|CVE-2022-42003|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2022-42004|7.5|com.fasterxml.jackson.core : jackson-databind : 2.9.10.4|
|8|CVE-2023-34454|7.5|org.xerial.snappy : snappy-java : 1.0.5|
|8|CVE-2023-34455|7.5|org.xerial.snappy : snappy-java : 1.0.5|
|8|CVE-2023-39410|7.5|org.apache.avro : avro : 1.7.7|
|8|sonatype-2017-0359|7.5|org.apache.httpcomponents : httpclient : 4.5.2|
|8|sonatype-2021-1694|7.5|com.google.code.gson : gson : 2.2.4|
|8|sonatype-2022-6438|7.5|com.fasterxml.jackson.core : jackson-core : 2.9.10|
|7|CVE-2021-37533|6.5|commons-net : commons-net : 3.6|
|7|CVE-2023-34462|6.5|io.netty : netty-handler : 4.1.86.Final|
|7|sonatype-2020-0026|6.5|io.netty : netty-handler : 4.1.86.Final|
|7|sonatype-2020-0244|5.9|org.jruby.joni : joni : 2.1.31|
|7|CVE-2021-22569|5.5|com.google.protobuf : protobuf-java : 2.5.0|
|7|CVE-2020-13956|5.3|org.apache.httpcomponents : httpclient : 4.5.2|
|7|sonatype-2021-4954|5.3|org.apache.commons : commons-compress : 1.19|

Also ran OWASP locally, which gave similar results.

 

As can be seen, most of the CVEs are coming via either hadoop/hbase/zk and will 
depend on which version is used to compile. For my case I sticked to codebase 
default for hadoop and ZK along with hbase.version=2.5.5-hadoop3.

Only netty-all is a direct dependency having CVE. Will create a subtask to fix 
it.

Also will create another one to bump phoenix-thirdparty, once released as 
com.google.guava:guava:31.0.1-android has 
[https://nvd.nist.gov/vuln/detail/CVE-2023-2976].

Also bouncycastle is having a CVE but it is not packaged and is a test 
dependency, so should be good to have.

Also will create sub task to bump other dependencies to latest.
|*Property*|*From*|*To*|
|hbase.version|2.4.13|2.4.17|
|log4j2.version|2.18.0|2.21.0|
|junit.version|4.13.1|4.13.2|
|guava.version|32.1.1-jre|32.1.3-jre|

Also identified a bunch of really old jars being used in the code base, like 
ones used for maven plugins, mockito, commons-* etc., which do not cause any 
security issues as such. Will work and fix those in coming days, but will keep 
it outside the scope of this ticket to avoid blocking any releases.

Let me know if this plan sounds good. 

CC: [~stoty] [~rajeshbabu] [~vjasani] 

> Analyse and fix possible vulnerabilities for 1.1.1 release
> ----------------------------------------------------------
>
>                 Key: OMID-252
>                 URL: https://issues.apache.org/jira/browse/OMID-252
>             Project: Phoenix Omid
>          Issue Type: Task
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>
> Here will try and analysis any vulnerabilities which can be fixed before 
> 1.1.1 release. Will create sub tasks as i identiffy them!
> CC: [~stoty] [~rajeshbabu] [~vjasani] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (OMID-252) Analyse and fix possible vulnerabilities for 1.1.1 release

Reply via email to