[jira] [Assigned] (KYLIN-3605) Fix security issues reported by snyk.io

Sat, 29 Sep 2018 03:38:49 -0700 


     [ 
https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shaofeng SHI reassigned KYLIN-3605:
-----------------------------------

    Assignee: Shaofeng SHI

> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: Shaofeng SHI
>            Priority: Major
>             Fix For: v2.6.0
>
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 › 
> commons-configuration:commons-configuration@1.6 › 
> commons-digester:commons-digester@1.8 › 
> commons-beanutils:commons-beanutils@1.7.0
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class 
> property, which allows remote attackers to manipulate the {{ClassLoader}}and 
> execute arbitrary code via the class parameter, as demonstrated by the 
> passing of this parameter to the {{getClass}} method of the 
> {{ActionForm}}object in Struts 1.
>  
> HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty]
>  is an open-source project providing a HTTP server, HTTP client and 
> javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command 
> Execution. It writes backtrace data without sanitizing non-printable 
> characters, which might allow remote attackers to modify a window's title, or 
> possibly execute arbitrary commands or overwrite files, via an HTTP request 
> containing an escape sequence for a terminal emulator, related to (1) a 
> string value in the Age parameter to the default URI for the Cookie Dump 
> Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under 
> cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) 
> an alphabetic value in the Content-Length HTTP header to an arbitrary 
> application.
> HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a 
> framework that allows for the distributed processing of large data sets 
> across clusters of computers using simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in 
> NodeManager configs, it may be possible for any Container launched by that 
> NodeManager to gain access to the encryption password. The other passwords 
> themselves are not directly exposed.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to