[jira] [Commented] (KYLIN-3605) Fix security issues reported by snyk.io

[ASF subversion and git services (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16633244#comment-16633244
 ] 

ASF subversion and git services commented on KYLIN-3605:
--------------------------------------------------------

Commit 55a085cffa14a0e24b2f8d716d3e4925faf3c40d in kylin's branch 
refs/heads/master from shaofengshi
[ https://gitbox.apache.org/repos/asf?p=kylin.git;h=55a085c ]

KYLIN-3605 upgrade zookeeper version to fix security issues


> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: Shaofeng SHI
>            Priority: Major
>             Fix For: v2.6.0
>
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT 
> › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 › 
> commons-configuration:commons-configuration@1.6 › 
> commons-digester:commons-digester@1.8 › 
> commons-beanutils:commons-beanutils@1.7.0
>  *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class 
> property, which allows remote attackers to manipulate the {{ClassLoader}}and 
> execute arbitrary code via the class parameter, as demonstrated by the 
> passing of this parameter to the {{getClass}} method of the 
> \{{ActionForm}}object in Struts 1.
>   
>  HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT 
> › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
>  *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty]
>  is an open-source project providing a HTTP server, HTTP client and 
> javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command 
> Execution. It writes backtrace data without sanitizing non-printable 
> characters, which might allow remote attackers to modify a window's title, or 
> possibly execute arbitrary commands or overwrite files, via an HTTP request 
> containing an escape sequence for a terminal emulator, related to (1) a 
> string value in the Age parameter to the default URI for the Cookie Dump 
> Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under 
> cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) 
> an alphabetic value in the Content-Length HTTP header to an arbitrary 
> application.
>  HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT 
> › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT 
> ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › 
> org.apache.hadoop:hadoop-common@2.7.1
>  *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a 
> framework that allows for the distributed processing of large data sets 
> across clusters of computers using simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in 
> NodeManager configs, it may be possible for any Container launched by that 
> NodeManager to gain access to the encryption password. The other passwords 
> themselves are not directly exposed.
>   
>  HIGH SEVERITY
> h1. Access Restriction Bypass
>  * Vulnerable module: org.springframework.security:spring-security-core
>  * Introduced through: org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT 
> ›org.springframework.security.extensions:spring-security-saml2-core@1.0.2.RELEASE
>  › org.springframework.security:spring-security-web@4.2.3.RELEASE › 
> org.springframework.security:spring-security-core@4.2.3.RELEASE
>  *Remediation:* No remediation path available.
>  * *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT 
> ›org.springframework.security.extensions:spring-security-saml2-core@1.0.2.RELEASE
>  › org.springframework.security:spring-security-config@4.2.3.RELEASE › 
> org.springframework.security:spring-security-core@4.2.3.RELEASE
>  *Remediation:* No remediation path available.
>  * *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT 
> ›org.springframework.security:spring-security-ldap@4.2.3.RELEASE › 
> org.springframework.security:spring-security-core@4.2.3.RELEASE
>  *Remediation:* No remediation path available.
> …and 2 more
> h2. Overview
> [org.springframework.security:spring-security-core|http://projects.spring.io/spring-framework/]
>  provides a comprehensive programming and configuration model for modern 
> Java-based enterprise applications - on any kind of deployment platform.
> Affected versions of this package are vulnerable to Access Restriction 
> Bypass. It does not consider URL path parameters when processing security 
> constraints. By adding a URL path parameter with special encodings, an 
> attacker may be able to bypass a security constraint.
>   
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT 
> ›org.apache.kylin:kylin-query@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-storage@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-core-cube@2.6.0-SNAPSHOT › 
> commons-validator:commons-validator@1.4.0 › 
> commons-beanutils:commons-beanutils@1.8.3
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class 
> property, which allows remote attackers to manipulate the {{ClassLoader}}and 
> execute arbitrary code via the class parameter, as demonstrated by the 
> passing of this parameter to the {{getClass}} method of the 
> {{ActionForm}}object in Struts 1.
> HIGH SEVERITY
> h1. Directory Traversal
>  * Vulnerable module: org.springframework:spring-webmvc
>  * Introduced through: org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT 
> ›org.springframework:spring-webmvc@4.3.10.RELEASE
> *Remediation:* No remediation path available.
> h2. Overview
> [org.springframework:spring-webmvc|https://mvnrepository.com/artifact/org.springframework/spring-webmvc]
>  Spring provides everything you need beyond the Java language to create 
> enterprise applications in a wide range of scenarios and architectures.
> Affected versions of this package are vulnerable to Directory Traversal. When 
> static resources are served from a file system on Windows (as opposed to the 
> classpath, or the ServletContext), a malicious user can send a request using 
> a specially crafted URL that can lead a directory traversal attack.
> HIGH SEVERITY
> h1. Insufficient Validation
>  * Vulnerable module: org.bouncycastle:bcprov-jdk15on
>  * Introduced through: org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT and 
> org.opensaml:opensaml@2.6.6
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.apache.kylin:kylin-server-base@2.6.0-SNAPSHOT 
> ›org.springframework.security.extensions:spring-security-saml2-core@1.0.2.RELEASE
>  › org.opensaml:opensaml@2.6.6 ›org.opensaml:openws@1.5.6 › 
> org.opensaml:xmltooling@1.4.6 › org.bouncycastle:bcprov-jdk15on@1.51
> *Remediation:* No remediation path available.
>  * 
> *Introduced through*: org.apache.kylin:kylin-server@2.6.0-SNAPSHOT › 
> org.opensaml:opensaml@2.6.6 › org.opensaml:openws@1.5.6 
> ›org.opensaml:xmltooling@1.4.6 › org.bouncycastle:bcprov-jdk15on@1.51
> *Remediation:* No remediation path available.
> h2. Overview
> [org.bouncycastle:bcprov-jdk15on|http://bouncycastle.org/] is a Java 
> implementation of cryptographic algorithms.
> Affected versions of this package are vulnerable to Insufficient Validation. 
> The other party DH public key is not fully validated.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)