[ https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shaofeng SHI reassigned KYLIN-3605: ----------------------------------- Assignee: Shaofeng SHI > Fix security issues reported by snyk.io > --------------------------------------- > > Key: KYLIN-3605 > URL: https://issues.apache.org/jira/browse/KYLIN-3605 > Project: Kylin > Issue Type: Improvement > Reporter: Shaofeng SHI > Assignee: Shaofeng SHI > Priority: Major > Fix For: v2.6.0 > > > HIGH SEVERITY > h1. Arbitrary Code Execution > * Vulnerable module: commons-beanutils:commons-beanutils > * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT > h2. Detailed paths and remediation > * > *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › > org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT > ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › > org.apache.hadoop:hadoop-common@2.7.1 › > commons-configuration:commons-configuration@1.6 › > commons-digester:commons-digester@1.8 › > commons-beanutils:commons-beanutils@1.7.0 > *Remediation:* No remediation path available. > h2. Overview > [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22] > Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class > property, which allows remote attackers to manipulate the {{ClassLoader}}and > execute arbitrary code via the class parameter, as demonstrated by the > passing of this parameter to the {{getClass}} method of the > {{ActionForm}}object in Struts 1. > > HIGH SEVERITY > h1. Arbitrary Command Execution > * Vulnerable module: org.mortbay.jetty:jetty > * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT > h2. Detailed paths and remediation > * > *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › > org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT > ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › > org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26 > *Remediation:* No remediation path available. > h2. Overview > [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty] > is an open-source project providing a HTTP server, HTTP client and > javax.servlet container. > Affected versions of this package are vulnerable to Arbitrary Command > Execution. It writes backtrace data without sanitizing non-printable > characters, which might allow remote attackers to modify a window's title, or > possibly execute arbitrary commands or overwrite files, via an HTTP request > containing an escape sequence for a terminal emulator, related to (1) a > string value in the Age parameter to the default URI for the Cookie Dump > Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under > cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) > an alphabetic value in the Content-Length HTTP header to an arbitrary > application. > HIGH SEVERITY > h1. Information Exposure > * Vulnerable module: org.apache.hadoop:hadoop-common > * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT > h2. Detailed paths and remediation > * > *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › > org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT > ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › > org.apache.hadoop:hadoop-common@2.7.1 > *Remediation:* No remediation path available. > h2. Overview > [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a > framework that allows for the distributed processing of large data sets > across clusters of computers using simple programming models. > Affected versions of the package are vulnerable to Information Exposure. > If you use the CredentialProvider feature to encrypt passwords used in > NodeManager configs, it may be possible for any Container launched by that > NodeManager to gain access to the encryption password. The other passwords > themselves are not directly exposed. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)