[
https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shaofeng SHI reassigned KYLIN-3605:
-----------------------------------
Assignee: Shaofeng SHI
> Fix security issues reported by snyk.io
> ---------------------------------------
>
> Key: KYLIN-3605
> URL: https://issues.apache.org/jira/browse/KYLIN-3605
> Project: Kylin
> Issue Type: Improvement
> Reporter: Shaofeng SHI
> Assignee: Shaofeng SHI
> Priority: Major
> Fix For: v2.6.0
>
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
> * Vulnerable module: commons-beanutils:commons-beanutils
> * Introduced through: org.apache.kylin:[email protected]
> h2. Detailed paths and remediation
> *
> *Introduced through*: org.apache.kylin:[email protected] ›
> org.apache.kylin:[email protected]
> ›com.github.joshelser:[email protected] ›
> org.apache.hadoop:[email protected] ›
> commons-configuration:[email protected] ›
> commons-digester:[email protected] ›
> commons-beanutils:[email protected]
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class
> property, which allows remote attackers to manipulate the {{ClassLoader}}and
> execute arbitrary code via the class parameter, as demonstrated by the
> passing of this parameter to the {{getClass}} method of the
> {{ActionForm}}object in Struts 1.
>
> HIGH SEVERITY
> h1. Arbitrary Command Execution
> * Vulnerable module: org.mortbay.jetty:jetty
> * Introduced through: org.apache.kylin:[email protected]
> h2. Detailed paths and remediation
> *
> *Introduced through*: org.apache.kylin:[email protected] ›
> org.apache.kylin:[email protected]
> ›com.github.joshelser:[email protected] ›
> org.apache.hadoop:[email protected] ›org.mortbay.jetty:[email protected]
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty]
> is an open-source project providing a HTTP server, HTTP client and
> javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command
> Execution. It writes backtrace data without sanitizing non-printable
> characters, which might allow remote attackers to modify a window's title, or
> possibly execute arbitrary commands or overwrite files, via an HTTP request
> containing an escape sequence for a terminal emulator, related to (1) a
> string value in the Age parameter to the default URI for the Cookie Dump
> Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under
> cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3)
> an alphabetic value in the Content-Length HTTP header to an arbitrary
> application.
> HIGH SEVERITY
> h1. Information Exposure
> * Vulnerable module: org.apache.hadoop:hadoop-common
> * Introduced through: org.apache.kylin:[email protected]
> h2. Detailed paths and remediation
> *
> *Introduced through*: org.apache.kylin:[email protected] ›
> org.apache.kylin:[email protected]
> ›com.github.joshelser:[email protected] ›
> org.apache.hadoop:[email protected]
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a
> framework that allows for the distributed processing of large data sets
> across clusters of computers using simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in
> NodeManager configs, it may be possible for any Container launched by that
> NodeManager to gain access to the encryption password. The other passwords
> themselves are not directly exposed.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
