H Allen, Thanks for sharing these. I looked at the CVEs flagged as part of Ratis to make sure they are addressed before the Ozone Alpha. I am not sure if these scans are producing meaningful messages.
1. CVE-2012-4449 | High org.apache.ratis:ratis-Hadoop:0.3.0-SNAPSHOT : From https://nvd.nist.gov/vuln/detail/CVE-2012-4449 Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. Ratis does have any code that would map to this issue. 2. CVE-2016-5001 | Low org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT : https://nvd.nist.gov/vuln/detail/CVE-2016-5001 This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token. Ratis does not have code path that corresponds to what this CVE seems to describe. 3. CVE-2017-3161 | Medium org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. Ratis has no WebUI 4. CVE-2017-3162 | High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0. Very HDFS specific CVE. Not related to Ratis at all. Either I am making a mistake or the Tool is not producing the right messages. Can someone take a second look and help me understand if I am making a mistake? Thanks Anu On 8/7/18, 8:37 AM, "Josh Elser" <[email protected]> wrote: Yikes. o.O On 8/3/18 2:47 PM, Allen Wittenauer wrote: > >> On Aug 3, 2018, at 10:29 AM, Josh Elser <[email protected]> wrote: >> >> Hi Nick! >> >> In chatting with Sean before sending this email, he pretty much suggested the same thing to me. I think this is the eventuality I need to embrace -- was just hoping for something a little less drastic for a first contribution ;) >> > > Playing with YETUS-441 (which still hasn’t been committed, for those of you with time to review patches), you could always make your first contribution to fix up any valid CVEs… haha. > > CVE | Severity Dependency > CVE-2015-5237 | Medium protobuf-javanano-3.1.0.jar > CVE-2014-3488 | Medium netty-tcnative-2.0.8.Final-linux-x86_64.jar > CVE-2015-2156 | Medium netty-tcnative-2.0.8.Final-linux-x86_64.jar > CVE-2017-5645 | High log4j-api-2.6.2.jar > CVE-2011-4461 | Medium jetty-6.1.26.jar > CVE-2014-0114 | High commons-beanutils-1.7.0.jar > CVE-2014-0114 | High commons-beanutils-core-1.8.0.jar > CVE-2015-5237 | Medium protobuf-java-2.5.0.jar > CVE-2017-12972 | Medium nimbus-jose-jwt-3.9.jar > CVE-2017-12973 | Medium nimbus-jose-jwt-3.9.jar > CVE-2017-12974 | Medium nimbus-jose-jwt-3.9.jar > CVE-2014-0085 | Low curator-framework-2.7.1.jar > CVE-2016-5017 | Medium curator-framework-2.7.1.jar > CVE-2018-8012 | Medium curator-framework-2.7.1.jar > CVE-2017-15713 | Medium hadoop-auth-3.0.0-alpha1.jar > CVE-2017-3166 | Medium hadoop-auth-3.0.0-alpha1.jar > CVE-2017-7669 | High hadoop-auth-3.0.0-alpha1.jar > CVE-2016-5725 | Medium jsch-0.1.51.jar > CVE-2014-0193 | Medium netty-3.7.0.Final.jar > CVE-2014-3488 | Medium netty-3.7.0.Final.jar > CVE-2015-2156 | Medium netty-3.7.0.Final.jar > CVE-2014-0085 | Low zookeeper-3.4.6.jar > CVE-2016-5017 | Medium zookeeper-3.4.6.jar > CVE-2017-5637 | Medium zookeeper-3.4.6.jar > CVE-2018-8012 | Medium zookeeper-3.4.6.jar > CVE-2015-4035 | Medium xz-1.0.jar > CVE-2012-4449 | High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT > CVE-2016-5001 | Low org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT > CVE-2017-3161 | Medium org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT > CVE-2017-3162 | High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT > >
