[jira] [Commented] (KYLIN-3605) Fix security issues reported by snyk.io

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16633174#comment-16633174
 ] 

ASF GitHub Bot commented on KYLIN-3605:
---------------------------------------

codecov-io commented on issue #276: KYLIN-3605 upgrade hadoop-common and 
zookeeper version to fix securit…
URL: https://github.com/apache/kylin/pull/276#issuecomment-425686030
 
 
   # [Codecov](https://codecov.io/gh/apache/kylin/pull/276?src=pr&el=h1) Report
   > :exclamation: No coverage uploaded for pull request base 
(`master@f42e937`). [Click here to learn what that 
means](https://docs.codecov.io/docs/error-reference#section-missing-base-commit).
   > The diff coverage is `0%`.
   
   [![Impacted file tree 
graph](https://codecov.io/gh/apache/kylin/pull/276/graphs/tree.svg?width=650&token=JawVgbgsVo&height=150&src=pr)](https://codecov.io/gh/apache/kylin/pull/276?src=pr&el=tree)
   
   ```diff
   @@            Coverage Diff            @@
   ##             master     #276   +/-   ##
   =========================================
     Coverage          ?   21.09%           
     Complexity        ?     4405           
   =========================================
     Files             ?     1087           
     Lines             ?    69965           
     Branches          ?    10120           
   =========================================
     Hits              ?    14761           
     Misses            ?    53804           
     Partials          ?     1400
   ```
   
   
   | [Impacted 
Files](https://codecov.io/gh/apache/kylin/pull/276?src=pr&el=tree) | Coverage Δ 
| Complexity Δ | |
   |---|---|---|---|
   | 
[...ylin/common/metrics/metrics2/Metrics2Reporter.java](https://codecov.io/gh/apache/kylin/pull/276/diff?src=pr&el=tree#diff-Y29yZS1jb21tb24vc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2t5bGluL2NvbW1vbi9tZXRyaWNzL21ldHJpY3MyL01ldHJpY3MyUmVwb3J0ZXIuamF2YQ==)
 | `0% <ø> (ø)` | `0 <0> (?)` | |
   | 
[...ommon/metrics/metrics2/HadoopMetrics2Reporter.java](https://codecov.io/gh/apache/kylin/pull/276/diff?src=pr&el=tree#diff-Y29yZS1jb21tb24vc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2t5bGluL2NvbW1vbi9tZXRyaWNzL21ldHJpY3MyL0hhZG9vcE1ldHJpY3MyUmVwb3J0ZXIuamF2YQ==)
 | `0% <0%> (ø)` | `0 <0> (?)` | |
   
   ------
   
   [Continue to review full report at 
Codecov](https://codecov.io/gh/apache/kylin/pull/276?src=pr&el=continue).
   > **Legend** - [Click here to learn 
more](https://docs.codecov.io/docs/codecov-delta)
   > `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
   > Powered by 
[Codecov](https://codecov.io/gh/apache/kylin/pull/276?src=pr&el=footer). Last 
update 
[f42e937...0ae4686](https://codecov.io/gh/apache/kylin/pull/276?src=pr&el=lastupdated).
 Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: Shaofeng SHI
>            Priority: Major
>             Fix For: v2.6.0
>
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 › 
> commons-configuration:commons-configuration@1.6 › 
> commons-digester:commons-digester@1.8 › 
> commons-beanutils:commons-beanutils@1.7.0
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class 
> property, which allows remote attackers to manipulate the {{ClassLoader}}and 
> execute arbitrary code via the class parameter, as demonstrated by the 
> passing of this parameter to the {{getClass}} method of the 
> {{ActionForm}}object in Struts 1.
>  
> HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty]
>  is an open-source project providing a HTTP server, HTTP client and 
> javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command 
> Execution. It writes backtrace data without sanitizing non-printable 
> characters, which might allow remote attackers to modify a window's title, or 
> possibly execute arbitrary commands or overwrite files, via an HTTP request 
> containing an escape sequence for a terminal emulator, related to (1) a 
> string value in the Age parameter to the default URI for the Cookie Dump 
> Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under 
> cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) 
> an alphabetic value in the Content-Length HTTP header to an arbitrary 
> application.
> HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a 
> framework that allows for the distributed processing of large data sets 
> across clusters of computers using simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in 
> NodeManager configs, it may be possible for any Container launched by that 
> NodeManager to gain access to the encryption password. The other passwords 
> themselves are not directly exposed.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)