Krisztian Kasa created AMBARI-25323:
---------------------------------------
Summary: Ambari Infra Manager: CVE issues
Key: AMBARI-25323
URL: https://issues.apache.org/jira/browse/AMBARI-25323
Project: Ambari
Issue Type: Bug
Components: ambari-infra
Affects Versions: 2.7.3
Reporter: Krisztian Kasa
Assignee: Krisztian Kasa
Fix For: 2.7.4
1. Remove dependency on com.thoughtworks.xstream:xstream:jar:1.4.10 in Ambari
Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2013-7285
{code}
± % mvn dependency:tree -Dincludes=com.thoughtworks.xstream:xstream
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------< org.apache.ambari:ambari-infra-manager >---------------
[INFO] Building Ambari Infra Manager 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
ambari-infra-manager ---
[INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
[INFO] \- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
{code}
2. Remove dependency on org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.31 in
Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2018-8014
{code}
± % mvn dependency:tree -Dincludes=org.apache.tomcat
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------< org.apache.ambari:ambari-infra-manager >---------------
[INFO] Building Ambari Infra Manager 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
ambari-infra-manager ---
[INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
[INFO] \-
org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.13.RELEASE:provided
[INFO] \- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.31:provided
[INFO] \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.31:provided
{code}
3. Remove dependency on org.apache.logging.log4j:log4j-core:jar:2.7 in Ambari
Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2017-5645
{code}
± % mvn dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------< org.apache.ambari:ambari-infra-manager >---------------
[INFO] Building Ambari Infra Manager 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
ambari-infra-manager ---
[INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
[INFO] \-
org.springframework.boot:spring-boot-starter-log4j2:jar:1.5.13.RELEASE:compile
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.7:compile
{code}
4. Remove dependency on org.eclipse.jetty:jetty.* 9.4.10.v20180503 in Ambari
Server due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2017-7657
https://nvd.nist.gov/vuln/detail/CVE-2017-7658
https://nvd.nist.gov/vuln/detail/CVE-2019-10247
https://nvd.nist.gov/vuln/detail/CVE-2018-12536
https://nvd.nist.gov/vuln/detail/CVE-2018-12545
https://nvd.nist.gov/vuln/detail/CVE-2019-10241
{code}
± % mvn dependency:tree -Dincludes=org.eclipse.jetty
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------< org.apache.ambari:ambari-infra-manager >---------------
[INFO] Building Ambari Infra Manager 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
ambari-infra-manager ---
[INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
[INFO] \-
org.springframework.boot:spring-boot-starter-jetty:jar:1.5.13.RELEASE:compile
[INFO] +- org.eclipse.jetty:jetty-servlets:jar:9.4.10.v20180503:compile
[INFO] | +-
org.eclipse.jetty:jetty-continuation:jar:9.4.10.v20180503:compile
[INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.10.v20180503:compile
[INFO] | +- org.eclipse.jetty:jetty-util:jar:9.4.10.v20180503:compile
[INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.10.v20180503:compile
[INFO] +- org.eclipse.jetty:jetty-webapp:jar:9.4.10.v20180503:compile
[INFO] | +- org.eclipse.jetty:jetty-xml:jar:9.4.10.v20180503:compile
[INFO] | \- org.eclipse.jetty:jetty-servlet:jar:9.4.10.v20180503:compile
[INFO] | \- org.eclipse.jetty:jetty-security:jar:9.4.10.v20180503:compile
[INFO] | \-
org.eclipse.jetty:jetty-server:jar:9.4.10.v20180503:compile
[INFO] +-
org.eclipse.jetty.websocket:websocket-server:jar:9.4.10.v20180503:compile
[INFO] | \-
org.eclipse.jetty.websocket:websocket-client:jar:9.4.10.v20180503:compile
[INFO] | \- org.eclipse.jetty:jetty-client:jar:9.4.10.v20180503:compile
[INFO] \-
org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.10.v20180503:compile
[INFO] \- org.eclipse.jetty:jetty-annotations:jar:9.4.10.v20180503:compile
[INFO] \- org.eclipse.jetty:jetty-plus:jar:9.4.10.v20180503:compile
{code}
5. Remove dependency on markedjs 0.3.2 or upgrade swagger-ui with a newer
markedjs version in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2017-16114
https://nvd.nist.gov/vuln/detail/CVE-2016-10531
https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
https://nvd.nist.gov/vuln/detail/CVE-2015-8854
https://nvd.nist.gov/vuln/detail/CVE-2015-1370
{code}
~/ambari/ambari-infra/ambari-infra-manager [branch-2.7 *]
± % ag marked.js
target/classes/swagger/swagger.html
42: <script src='swagger-ui/2.2.2/lib/marked.js'
type='text/javascript'></script>
src/main/resources/swagger/swagger.html
42: <script src='swagger-ui/2.2.2/lib/marked.js'
type='text/javascript'></script>
{code}
6. Remove dependency on org.springframework.security:spring-security-web
4.3.12.RELEASE in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2018-15756
{code}
± % mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------< org.apache.ambari:ambari-infra-manager >---------------
[INFO] Building Ambari Infra Manager 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
ambari-infra-manager ---
...
[INFO] | \- org.springframework:spring-web:jar:4.3.12.RELEASE:compile
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
