[
https://issues.apache.org/jira/browse/AMBARI-25323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krisztian Kasa resolved AMBARI-25323.
-------------------------------------
Resolution: Duplicate
AMBARI-25130
> Ambari Infra Manager: CVE issues
> --------------------------------
>
> Key: AMBARI-25323
> URL: https://issues.apache.org/jira/browse/AMBARI-25323
> Project: Ambari
> Issue Type: Bug
> Components: ambari-infra
> Affects Versions: 2.7.3
> Reporter: Krisztian Kasa
> Assignee: Krisztian Kasa
> Priority: Major
> Fix For: 2.7.4
>
>
> 1. Remove dependency on com.thoughtworks.xstream:xstream:jar:1.4.10 in Ambari
> Infra Manager due to security concerns. See
> https://nvd.nist.gov/vuln/detail/CVE-2013-7285
> {code}
> ± % mvn dependency:tree -Dincludes=com.thoughtworks.xstream:xstream
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ---------------< org.apache.ambari:ambari-infra-manager
> >---------------
> [INFO] Building Ambari Infra Manager 2.7.3.0.0
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
> ambari-infra-manager ---
> [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
> [INFO] \- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
> {code}
> 2. Remove dependency on org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.31
> in Ambari Infra Manager due to security concerns. See
> https://nvd.nist.gov/vuln/detail/CVE-2018-8014
> {code}
> ± % mvn dependency:tree -Dincludes=org.apache.tomcat
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ---------------< org.apache.ambari:ambari-infra-manager
> >---------------
> [INFO] Building Ambari Infra Manager 2.7.3.0.0
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
> ambari-infra-manager ---
> [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
> [INFO] \-
> org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.13.RELEASE:provided
> [INFO] \- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.31:provided
> [INFO] \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.31:provided
> {code}
> 3. Remove dependency on org.apache.logging.log4j:log4j-core:jar:2.7 in Ambari
> Infra Manager due to security concerns. See
> https://nvd.nist.gov/vuln/detail/CVE-2017-5645
> {code}
> ± % mvn dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ---------------< org.apache.ambari:ambari-infra-manager
> >---------------
> [INFO] Building Ambari Infra Manager 2.7.3.0.0
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
> ambari-infra-manager ---
> [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
> [INFO] \-
> org.springframework.boot:spring-boot-starter-log4j2:jar:1.5.13.RELEASE:compile
> [INFO] \- org.apache.logging.log4j:log4j-core:jar:2.7:compile
> {code}
> 4. Remove dependency on org.eclipse.jetty:jetty.* 9.4.10.v20180503 in Ambari
> Server due to security concerns. See
> https://nvd.nist.gov/vuln/detail/CVE-2017-7657
> https://nvd.nist.gov/vuln/detail/CVE-2017-7658
> https://nvd.nist.gov/vuln/detail/CVE-2019-10247
> https://nvd.nist.gov/vuln/detail/CVE-2018-12536
> https://nvd.nist.gov/vuln/detail/CVE-2018-12545
> https://nvd.nist.gov/vuln/detail/CVE-2019-10241
> {code}
> ± % mvn dependency:tree -Dincludes=org.eclipse.jetty
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ---------------< org.apache.ambari:ambari-infra-manager
> >---------------
> [INFO] Building Ambari Infra Manager 2.7.3.0.0
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
> ambari-infra-manager ---
> [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0
> [INFO] \-
> org.springframework.boot:spring-boot-starter-jetty:jar:1.5.13.RELEASE:compile
> [INFO] +- org.eclipse.jetty:jetty-servlets:jar:9.4.10.v20180503:compile
> [INFO] | +-
> org.eclipse.jetty:jetty-continuation:jar:9.4.10.v20180503:compile
> [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.10.v20180503:compile
> [INFO] | +- org.eclipse.jetty:jetty-util:jar:9.4.10.v20180503:compile
> [INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.10.v20180503:compile
> [INFO] +- org.eclipse.jetty:jetty-webapp:jar:9.4.10.v20180503:compile
> [INFO] | +- org.eclipse.jetty:jetty-xml:jar:9.4.10.v20180503:compile
> [INFO] | \- org.eclipse.jetty:jetty-servlet:jar:9.4.10.v20180503:compile
> [INFO] | \-
> org.eclipse.jetty:jetty-security:jar:9.4.10.v20180503:compile
> [INFO] | \-
> org.eclipse.jetty:jetty-server:jar:9.4.10.v20180503:compile
> [INFO] +-
> org.eclipse.jetty.websocket:websocket-server:jar:9.4.10.v20180503:compile
> [INFO] | \-
> org.eclipse.jetty.websocket:websocket-client:jar:9.4.10.v20180503:compile
> [INFO] | \- org.eclipse.jetty:jetty-client:jar:9.4.10.v20180503:compile
> [INFO] \-
> org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.10.v20180503:compile
> [INFO] \-
> org.eclipse.jetty:jetty-annotations:jar:9.4.10.v20180503:compile
> [INFO] \- org.eclipse.jetty:jetty-plus:jar:9.4.10.v20180503:compile
> {code}
> 5. Remove dependency on markedjs 0.3.2 or upgrade swagger-ui with a newer
> markedjs version in Ambari Infra Manager due to security concerns. See
> https://nvd.nist.gov/vuln/detail/CVE-2017-16114
> https://nvd.nist.gov/vuln/detail/CVE-2016-10531
> https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
> https://nvd.nist.gov/vuln/detail/CVE-2015-8854
> https://nvd.nist.gov/vuln/detail/CVE-2015-1370
> {code}
> ~/ambari/ambari-infra/ambari-infra-manager [branch-2.7 *]
> ± % ag marked.js
> target/classes/swagger/swagger.html
> 42: <script src='swagger-ui/2.2.2/lib/marked.js'
> type='text/javascript'></script>
> src/main/resources/swagger/swagger.html
> 42: <script src='swagger-ui/2.2.2/lib/marked.js'
> type='text/javascript'></script>
> {code}
> 6. Remove dependency on org.springframework.security:spring-security-web
> 4.3.12.RELEASE in Ambari Infra Manager due to security concerns. See
> https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> {code}
> ± % mvn dependency:tree
> [INFO] Scanning for projects...
> [INFO]
> [INFO] ---------------< org.apache.ambari:ambari-infra-manager
> >---------------
> [INFO] Building Ambari Infra Manager 2.7.3.0.0
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @
> ambari-infra-manager ---
> ...
> [INFO] | \- org.springframework:spring-web:jar:4.3.12.RELEASE:compile
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
