[
https://issues.apache.org/jira/browse/BEAM-12679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390189#comment-17390189
]
Ahmet Altay edited comment on BEAM-12679 at 7/29/21, 11:51 PM:
---------------------------------------------------------------
It looks like:
- jackson-databind was already updated to 2.12.1
(https://github.com/apache/beam/pull/13900) (See:
https://issues.apache.org/jira/browse/BEAM-11595)
- log4j_version was already update to 2.14.1 and then removed from most of the
code base (See: https://issues.apache.org/jira/browse/BEAM-11055) with the
exception (https://github.com/apache/beam/search?q=log4j_version) of (i)
elastisearch test which should not be part of the release, and (ii) hcatalog
for a known reason
(https://github.com/apache/beam/blob/37d71e2529e2511f5f028632423e3297d50661d0/sdks/java/io/hcatalog/build.gradle#L47).
IIUC, as long as you are not using hcatalog, you would not be using older
versions of these libraries.
was (Author: altay):
It looks like:
- jackson-databind was already updated to 2.12.1
(https://github.com/apache/beam/pull/13900) (See:
https://issues.apache.org/jira/browse/BEAM-11595)
- log4j_version was already update to 2.14.1 and then removed from most of the
code base (See: https://issues.apache.org/jira/browse/BEAM-11055) with the
exception (https://github.com/apache/beam/search?q=log4j_version) of (i)
elastisearch test which should be part of the release, and (ii) hcatalog for a
known reason
(https://github.com/apache/beam/blob/37d71e2529e2511f5f028632423e3297d50661d0/sdks/java/io/hcatalog/build.gradle#L47).
IIUC, as long as you are not using hcatalog, you would not be using older
versions of these libraries.
> Critical issues are being pulled in by 2 of Beams dependencies
> --------------------------------------------------------------
>
> Key: BEAM-12679
> URL: https://issues.apache.org/jira/browse/BEAM-12679
> Project: Beam
> Issue Type: Bug
> Components: dependencies
> Reporter: Joel Cain
> Priority: P2
>
> Vulnerabilities are being detected by scans of images using Twistlock
> security service.
> Vulnerabilities:
> 1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1
> critical)
>
> Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP
> socket server or UDP socket server to receive serialized log events from
> another application, a specially crafted binary payload can be sent that,
> when deserialized, can execute arbitrary code.
>
> This issue is fixed in version 2.8.2
>
> 2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49
> vulnerabilities (14 critical)
>
> Example issue description: A flaw was discovered in FasterXML
> jackson-databind in all versions before 2.9.10 and 2.10.0, where it would
> permit polymorphic deserialization of malicious objects using the xalan JNDI
> gadget when used in conjunction with polymorphic type handling methods such
> as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or
> `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might
> instantiate objects from unsafe sources. An attacker could use this flaw to
> execute arbitrary code.
>
> All issues resolved in versions starting 2.9.10.4
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
