[jira] [Commented] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Mon, 04 Nov 2019 11:38:53 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-7416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16966953#comment-16966953
 ] 

Vova Vysotskyi commented on DRILL-7416:
---------------------------------------

{{commons-beanutils}}/{{commons-beanutils-core}} come as a transitive 
dependency, mostly from the {{hadoop-common}}, so we need to verify that this 
library works correctly with the newer version.
{{converter-jackson}} - it should be checked that the opentsdb storage plugin 
will work correctly with this version of the library. Perhaps, also 
{{retrofit}} version should be updated.
{{derby}} - used by {{hive-metastore}}, so we also need to verify that this 
library works correctly with the newer version.
{{drill-shaded-guava-23}} - OK.
{{guava-19.0}} - we cannot update it since most of the projects use much older 
versions, but still partially compatible with 1.19. For example, current HBase 
version still uses guava 11 and wouldn't work with versions newer than 19.
{{hadoop-yarn-common}} - should be updated in the scope of DRILL-6540.
{{jackson-databind}} - is definitely should be updated and perhaps with other 
jackson libraries.
{{httpclient}} - come as a transitive dependency, mostly from the 
{{hadoop-common}}/{{hive}}/{{hbase}}, so we need to verify that these libraries 
work correctly with the newer version.
TBA

> Updates required to dependencies to resolve potential security 
> vulnerabilities 
> -------------------------------------------------------------------------------
>
>                 Key: DRILL-7416
>                 URL: https://issues.apache.org/jira/browse/DRILL-7416
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Bradley Parker
>            Assignee: Bradley Parker
>            Priority: Critical
>              Labels: security
>
> After running an OWASP Dependency Check and ruling out false positives, I 
> have found 25 dependencies that should be updated to remove potential 
> vulnerabilities. They are listed alphabetically with their CVE information 
> below.
>  
> [CVSS 
> scores|[https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System]] 
> represent the severity of a vulnerability on a scale of 1-10, 10 being 
> critical. [CVEs 
> |[https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures]] are 
> public identifiers used to reference known vulnerabilities. 
>  
> Package: avro-1.8.2
> Should be: 1.9.0 (*Existing item at* *DRILL-7302*)
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list: CVE-2018-10237
> Package: commons-beanutils-1.9.2
> Should be: 1.9.4
> Max CVE (CVSS): CVE-2019-10086 (7.3)
> Complete CVE list: CVE-2019-10086
> Package: commons-beanutils-core-1.8.0
> Should be: Moved to commons-beanutils
> Max CVE (CVSS): CVE-2014-0114 (7.5)
> Complete CVE list: CVE-2014-0114Deprecated, replaced by commons-beanutils
> Package: converter-jackson
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list: CVE-2018-1000850
> Package: derby-10.10.2.0
> Should be: 10.14.2.0
> Max CVE (CVSS): CVE-2015-1832 (9.1)
> Complete CVE list: CVE-2015-1832
> CVE-2018-1313
> Package: drill-hive-exec-shaded
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (7.5)
> Complete CVE list: CVE-2018-10237
> Package: drill-java-exec
> Should be: New release needed with updated JjQuery and Bootstrap
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list: CVE-2018-14040
> CVE-2018-14041 
> CVE-2018-14042
> CVE-2019-8331
> CVE-2019-11358
> Package: drill-shaded-guava-23
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list: CVE-2018-10237
> Package: guava-19.0
> Should be: 24.1.1
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list: CVE-2018-10237
> Package: hadoop-yarn-common-2.7.4
> Should be: 3.2.1
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list: CVE-2012-6708
> CVE-2015-9251
> CVE-2019-11358
> CVE-2010-5312
> CVE-2016-7103
> Package: hbase-http-2.1.1.jar 
> Should be: 2.1.4
> Max CVE (CVSS): CVE-2019-0212 (7.5)
> Complete CVE list: CVE-2019-0212
> Package: httpclient-4.2.5.jar
> Should be: 4.3.6
> Max CVE (CVSS): CVE-2014-3577  (5.8)
> Complete CVE list: CVE-2014-3577
> CVE-2015-5262
> Package: jackson-databind-2.9.5
> Should be: 2.10.0
> Max CVE (CVSS): CVE-2018-14721  (10)
> Complete CVE list: CVE-2019-17267
> CVE-2019-16943
> CVE-2019-16942
> CVE-2019-16335
> CVE-2019-14540
> CVE-2019-14439
> CVE-2019-14379
> CVE-2018-11307
> CVE-2019-12384
> CVE-2019-12814
> CVE-2019-12086
> CVE-2018-12023
> CVE-2018-12022
> CVE-2018-19362
> CVE-2018-19361
> CVE-2018-19360
> CVE-2018-14721
> CVE-2018-14720
> CVE-2018-14719
> CVE-2018-14718
> CVE-2018-1000873
> Package: jetty-server-9.3.25.v20180904.jar (*Existing DRILL-7135, but that's 
> to go to 9.4 and it's blocked, we should go to latest 9.3 in the meantime*)
> Should be: 9.3.27.v20190418
> Max CVE (CVSS): CVE-2017-9735 (7.5)
> Complete CVE list: CVE-2017-9735
> CVE-2019-10241
> CVE-2019-10247
> Package: Kafka 0.11.0.1
> Should be: 2.2.0 (*Existing item DRILL-6739*)
> Max CVE (CVSS): CVE-2018-17196 (8.8)
> Complete CVE list: CVE-2018-17196
> CVE-2018-1288
> CVE-2017-12610
> Package: kudu-client-1.3.0.jar 
> Should be: 1.10.0
> Max CVE (CVSS): CVE-2015-5237  (8.8)
> Complete CVE list: CVE-2018-10237
> CVE-2015-5237
> CVE-2019-16869Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu 
> still needs to update their netty (this is not unexpected as this CVE is 
> newer)
> Package: libfb303-0.9.3.jar
> Should be: 0.12.0
> Max CVE (CVSS): CVE-2018-1320 (7.5)
> Complete CVE list: CVE-2018-1320Moved to libthrift
> Package: okhttp-3.3.0
> Should be: 3.12.0
> Max CVE (CVSS): CVE-2018-20200 (5.9)
> Complete CVE list: CVE-2018-20200
> Package: protobuf-java-2.5.0
> Should be: 3.4.0
> Max CVE (CVSS): CVE-2015-5237  (8.8)
> Complete CVE list: CVE-2015-5237 
> Package: retrofit-2.1.0
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list: CVE-2018-1000850
> Package: scala-library-2.11.0
> Should be: 2.11.12
> Max CVE (CVSS): CVE-2017-15288 (7.8)
> Complete CVE list: CVE-2017-15288
> Package: serializer-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list: CVE-2014-0107
> Package: xalan-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list: CVE-2014-0107
> Package: xercesImpl-2.11.0
> Should be: 2.12.0
> Max CVE (CVSS): CVE-2012-0881 (7.5)
> Complete CVE list: CVE-2012-0881
> Package: zookeeper-3.4.12.
> Should be: 3.4.14
> Max CVE (CVSS): CVE-2019-0201 (5.9)
> Complete CVE list: CVE-2019-0201
>  
> Additional keywords for searching: Vulnerability, CVE, OWASP, Dependency Check



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to