[jira] [Updated] (KYLIN-3605) Fix security issues reported by snyk.io

[Shaofeng SHI (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shaofeng SHI updated KYLIN-3605:
--------------------------------
    Description: 
HIGH SEVERITY
h1. Arbitrary Code Execution
 * Vulnerable module: commons-beanutils:commons-beanutils
 * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT

h2. Detailed paths and remediation
 * 
*Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
org.apache.hadoop:hadoop-common@2.7.1 › 
commons-configuration:commons-configuration@1.6 › 
commons-digester:commons-digester@1.8 › 
commons-beanutils:commons-beanutils@1.7.0
*Remediation:* No remediation path available.

h2. Overview

[{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]

Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class 
property, which allows remote attackers to manipulate the {{ClassLoader}}and 
execute arbitrary code via the class parameter, as demonstrated by the passing 
of this parameter to the {{getClass}} method of the {{ActionForm}}object in 
Struts 1.
 
HIGH SEVERITY
h1. Arbitrary Command Execution
 * Vulnerable module: org.mortbay.jetty:jetty
 * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT

h2. Detailed paths and remediation
 * 
*Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
*Remediation:* No remediation path available.

h2. Overview

[org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty] 
is an open-source project providing a HTTP server, HTTP client and 
javax.servlet container.

Affected versions of this package are vulnerable to Arbitrary Command 
Execution. It writes backtrace data without sanitizing non-printable 
characters, which might allow remote attackers to modify a window's title, or 
possibly execute arbitrary commands or overwrite files, via an HTTP request 
containing an escape sequence for a terminal emulator, related to (1) a string 
value in the Age parameter to the default URI for the Cookie Dump Servlet in 
test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an 
alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value 
in the Content-Length HTTP header to an arbitrary application.
HIGH SEVERITY
h1. Information Exposure
 * Vulnerable module: org.apache.hadoop:hadoop-common
 * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT

h2. Detailed paths and remediation
 * 
*Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
org.apache.hadoop:hadoop-common@2.7.1
*Remediation:* No remediation path available.

h2. Overview

[{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a framework 
that allows for the distributed processing of large data sets across clusters 
of computers using simple programming models.

Affected versions of the package are vulnerable to Information Exposure.

If you use the CredentialProvider feature to encrypt passwords used in 
NodeManager configs, it may be possible for any Container launched by that 
NodeManager to gain access to the encryption password. The other passwords 
themselves are not directly exposed.
 

  was:
[org.apache.commons:commons-compress|https://github.com/apache/commons-compress]
 defines an API for working with compression and archive formats.

Affected versions of this package are vulnerable to Directory Traversal.


> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Priority: Major
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 › 
> commons-configuration:commons-configuration@1.6 › 
> commons-digester:commons-digester@1.8 › 
> commons-beanutils:commons-beanutils@1.7.0
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class 
> property, which allows remote attackers to manipulate the {{ClassLoader}}and 
> execute arbitrary code via the class parameter, as demonstrated by the 
> passing of this parameter to the {{getClass}} method of the 
> {{ActionForm}}object in Struts 1.
>  
> HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty]
>  is an open-source project providing a HTTP server, HTTP client and 
> javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command 
> Execution. It writes backtrace data without sanitizing non-printable 
> characters, which might allow remote attackers to modify a window's title, or 
> possibly execute arbitrary commands or overwrite files, via an HTTP request 
> containing an escape sequence for a terminal emulator, related to (1) a 
> string value in the Age parameter to the default URI for the Cookie Dump 
> Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under 
> cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) 
> an alphabetic value in the Content-Length HTTP header to an arbitrary 
> application.
> HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a 
> framework that allows for the distributed processing of large data sets 
> across clusters of computers using simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in 
> NodeManager configs, it may be possible for any Container launched by that 
> NodeManager to gain access to the encryption password. The other passwords 
> themselves are not directly exposed.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)