[jira] [Comment Edited] (BEAM-12679) Critical issues are being pulled in by 2 of Beams dependencies

Wed, 18 Aug 2021 12:00:06 -0700 


    [ 
https://issues.apache.org/jira/browse/BEAM-12679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401306#comment-17401306
 ] 

Luke Cwik edited comment on BEAM-12679 at 8/18/21, 6:59 PM:
------------------------------------------------------------

Your right, it seems as though we have vendored calcite 1.26.0 but have yet to 
use it since we still point to 1.20.0 here: 
https://github.com/apache/beam/blob/410ad7699621e28433d81809f6b9c42fe7bd6a60/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L665

It looks like https://issues.apache.org/jira/browse/BEAM-9379 wasn't finished.


was (Author: lcwik):
Your right, it seems as though we have vendored calcite 1.26.0 but have yet to 
use it since we still point to 1.20.0 here: 
https://github.com/apache/beam/blob/410ad7699621e28433d81809f6b9c42fe7bd6a60/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L665

> Critical issues are being pulled in by 2 of Beams dependencies
> --------------------------------------------------------------
>
>                 Key: BEAM-12679
>                 URL: https://issues.apache.org/jira/browse/BEAM-12679
>             Project: Beam
>          Issue Type: Bug
>          Components: dependencies
>            Reporter: Joel Cain
>            Priority: P2
>
> Vulnerabilities are being detected by scans of images using Twistlock 
> security service.
> Vulnerabilities:
>  1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1 
> critical)
>   
>  Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP 
> socket server or UDP socket server to receive serialized log events from 
> another application, a specially crafted binary payload can be sent that, 
> when deserialized, can execute arbitrary code.
>   
>  This issue is fixed in version 2.8.2
>   
>  2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49 
> vulnerabilities (14 critical)
>   
>  Example issue description: A flaw was discovered in FasterXML 
> jackson-databind in all versions before 2.9.10 and 2.10.0, where it would 
> permit polymorphic deserialization of malicious objects using the xalan JNDI 
> gadget when used in conjunction with polymorphic type handling methods such 
> as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or 
> `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might 
> instantiate objects from unsafe sources. An attacker could use this flaw to 
> execute arbitrary code.
>   
>  All issues resolved in versions starting 2.9.10.4



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to