You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Charles Givre (Jira)" <ji...@apache.org> on 2019/11/01 20:19:00 UTC
[jira] [Updated] (DRILL-7416) Updates required to dependencies to
resolve potential security vulnerabilities
[ https://issues.apache.org/jira/browse/DRILL-7416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Charles Givre updated DRILL-7416:
---------------------------------
Priority: Critical (was: Major)
> Updates required to dependencies to resolve potential security vulnerabilities
> -------------------------------------------------------------------------------
>
> Key: DRILL-7416
> URL: https://issues.apache.org/jira/browse/DRILL-7416
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.16.0
> Reporter: Bradley Parker
> Assignee: Bradley Parker
> Priority: Critical
> Labels: security
> Fix For: 1.17.0
>
>
> After running an OWASP Dependency Check and ruling out false positives, I have found 25 dependencies that should be updated to remove potential vulnerabilities. They are listed alphabetically with their CVE information below.
>
> [CVSS scores|[https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System]] represent the severity of a vulnerability on a scale of 1-10, 10 being critical. [CVEs |[https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures]] are public identifiers used to reference known vulnerabilities.
>
> Package: avro-1.8.2
> Should be: 1.9.0 (*Existing item at* *DRILL-7302*)
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list: CVE-2018-10237
> Package: commons-beanutils-1.9.2
> Should be: 1.9.4
> Max CVE (CVSS): CVE-2019-10086 (7.3)
> Complete CVE list: CVE-2019-10086
> Package: commons-beanutils-core-1.8.0
> Should be: Moved to commons-beanutils
> Max CVE (CVSS): CVE-2014-0114 (7.5)
> Complete CVE list: CVE-2014-0114Deprecated, replaced by commons-beanutils
> Package: converter-jackson
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list: CVE-2018-1000850
> Package: derby-10.10.2.0
> Should be: 10.14.2.0
> Max CVE (CVSS): CVE-2015-1832 (9.1)
> Complete CVE list: CVE-2015-1832
> CVE-2018-1313
> Package: drill-hive-exec-shaded
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (7.5)
> Complete CVE list: CVE-2018-10237
> Package: drill-java-exec
> Should be: New release needed with updated JjQuery and Bootstrap
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list: CVE-2018-14040
> CVE-2018-14041
> CVE-2018-14042
> CVE-2019-8331
> CVE-2019-11358
> Package: drill-shaded-guava-23
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list: CVE-2018-10237
> Package: guava-19.0
> Should be: 24.1.1
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list: CVE-2018-10237
> Package: hadoop-yarn-common-2.7.4
> Should be: 3.2.1
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list: CVE-2012-6708
> CVE-2015-9251
> CVE-2019-11358
> CVE-2010-5312
> CVE-2016-7103
> Package: hbase-http-2.1.1.jar
> Should be: 2.1.4
> Max CVE (CVSS): CVE-2019-0212 (7.5)
> Complete CVE list: CVE-2019-0212
> Package: httpclient-4.2.5.jar
> Should be: 4.3.6
> Max CVE (CVSS): CVE-2014-3577 (5.8)
> Complete CVE list: CVE-2014-3577
> CVE-2015-5262
> Package: jackson-databind-2.9.5
> Should be: 2.10.0
> Max CVE (CVSS): CVE-2018-14721 (10)
> Complete CVE list: CVE-2019-17267
> CVE-2019-16943
> CVE-2019-16942
> CVE-2019-16335
> CVE-2019-14540
> CVE-2019-14439
> CVE-2019-14379
> CVE-2018-11307
> CVE-2019-12384
> CVE-2019-12814
> CVE-2019-12086
> CVE-2018-12023
> CVE-2018-12022
> CVE-2018-19362
> CVE-2018-19361
> CVE-2018-19360
> CVE-2018-14721
> CVE-2018-14720
> CVE-2018-14719
> CVE-2018-14718
> CVE-2018-1000873
> Package: jetty-server-9.3.25.v20180904.jar (*Existing DRILL-7135, but that's to go to 9.4 and it's blocked, we should go to latest 9.3 in the meantime*)
> Should be: 9.3.27.v20190418
> Max CVE (CVSS): CVE-2017-9735 (7.5)
> Complete CVE list: CVE-2017-9735
> CVE-2019-10241
> CVE-2019-10247
> Package: Kafka 0.11.0.1
> Should be: 2.2.0 (*Existing item DRILL-6739*)
> Max CVE (CVSS): CVE-2018-17196 (8.8)
> Complete CVE list: CVE-2018-17196
> CVE-2018-1288
> CVE-2017-12610
> Package: kudu-client-1.3.0.jar
> Should be: 1.10.0
> Max CVE (CVSS): CVE-2015-5237 (8.8)
> Complete CVE list: CVE-2018-10237
> CVE-2015-5237
> CVE-2019-16869Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to update their netty (this is not unexpected as this CVE is newer)
> Package: libfb303-0.9.3.jar
> Should be: 0.12.0
> Max CVE (CVSS): CVE-2018-1320 (7.5)
> Complete CVE list: CVE-2018-1320Moved to libthrift
> Package: okhttp-3.3.0
> Should be: 3.12.0
> Max CVE (CVSS): CVE-2018-20200 (5.9)
> Complete CVE list: CVE-2018-20200
> Package: protobuf-java-2.5.0
> Should be: 3.4.0
> Max CVE (CVSS): CVE-2015-5237 (8.8)
> Complete CVE list: CVE-2015-5237
> Package: retrofit-2.1.0
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list: CVE-2018-1000850
> Package: scala-library-2.11.0
> Should be: 2.11.12
> Max CVE (CVSS): CVE-2017-15288 (7.8)
> Complete CVE list: CVE-2017-15288
> Package: serializer-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list: CVE-2014-0107
> Package: xalan-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list: CVE-2014-0107
> Package: xercesImpl-2.11.0
> Should be: 2.12.0
> Max CVE (CVSS): CVE-2012-0881 (7.5)
> Complete CVE list: CVE-2012-0881
> Package: zookeeper-3.4.12.
> Should be: 3.4.14
> Max CVE (CVSS): CVE-2019-0201 (5.9)
> Complete CVE list: CVE-2019-0201
>
> Additional keywords for searching: Vulnerability, CVE, OWASP, Dependency Check
--
This message was sent by Atlassian Jira
(v8.3.4#803005)