[
https://issues.apache.org/jira/browse/BEAM-12679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401058#comment-17401058
]
Joel Cain commented on BEAM-12679:
----------------------------------
And for latest version seeing the jackson-databind being pulled in at:
/opt/docker/jars/beam-vendor-calcite-1_20_0-0.1.jar
Is it possible there are jars used in Beam which themselves still use old
versions?
> Critical issues are being pulled in by 2 of Beams dependencies
> --------------------------------------------------------------
>
> Key: BEAM-12679
> URL: https://issues.apache.org/jira/browse/BEAM-12679
> Project: Beam
> Issue Type: Bug
> Components: dependencies
> Reporter: Joel Cain
> Priority: P2
>
> Vulnerabilities are being detected by scans of images using Twistlock
> security service.
> Vulnerabilities:
> 1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1
> critical)
>
> Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP
> socket server or UDP socket server to receive serialized log events from
> another application, a specially crafted binary payload can be sent that,
> when deserialized, can execute arbitrary code.
>
> This issue is fixed in version 2.8.2
>
> 2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49
> vulnerabilities (14 critical)
>
> Example issue description: A flaw was discovered in FasterXML
> jackson-databind in all versions before 2.9.10 and 2.10.0, where it would
> permit polymorphic deserialization of malicious objects using the xalan JNDI
> gadget when used in conjunction with polymorphic type handling methods such
> as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or
> `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might
> instantiate objects from unsafe sources. An attacker could use this flaw to
> execute arbitrary code.
>
> All issues resolved in versions starting 2.9.10.4
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
