You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "Billy Liu (JIRA)" <ji...@apache.org> on 2017/09/19 00:47:00 UTC

[jira] [Created] (KYLIN-2879) Upgrade Spring & Spring Security to fix potential vulnerability

Billy Liu created KYLIN-2879:
--------------------------------

             Summary: Upgrade Spring & Spring Security to fix potential vulnerability
                 Key: KYLIN-2879
                 URL: https://issues.apache.org/jira/browse/KYLIN-2879
             Project: Kylin
          Issue Type: Improvement
            Reporter: Billy Liu
            Assignee: Billy Liu
            Priority: Critical


After running against VersionEye, the system shows that Kylin has "14 known security vulnerabilities. ". They are from commons-fileupload, commons-email, xercesImpl, spring-webmvc, spring jdbc, spring aop, spring-context-support, spring-test, spring-security-core, tomcat-catalina, spring-core libraries. Upgrade to newer version will fix the vulnerabilities. 

Following is the detail report: 

commons-fileupload : 1.3.1 

2016-3092
Apache Commons Fileupload: Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=1349475
http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
http://tomcat.apache.org/security.html
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Affected versions: <=1.3.1,1.3 && <=1.2.2,1.2
Mute this security issue
CVE-2016-3092
CVE-2016-3092
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
Affected versions: 1.3.1
Mute this security issue
2016-1000031
Apache Commons FileUpload Deserialization Gadget
https://www.tenable.com/security/research/tra-2016-12
https://issues.apache.org/jira/browse/FILEUPLOAD-279
https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
Affected versions: <=1.3.2
Mute this security issue
commons-email : 1.4 

2017-9801
SMTP header injection vulnerabilty
https://commons.apache.org/proper/commons-email/security-reports.html
https://nvd.nist.gov/vuln/detail/CVE-2017-9801
Affected versions: <=1.4
Mute this security issue
xercesImpl : 2.11.0 

2013-4002
Apache Xerces: XMLScanner resource exhaustion
https://bugzilla.redhat.com/CVE-2013-4002
http://svn.apache.org/viewvc?view=revision&revision=1499506
Affected versions: <=2.11.0
Mute this security issue
spring-webmvc : 4.2.8.RELEASE 

CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-jdbc : 4.2.8.RELEASE 

CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-aop : 4.2.8.RELEASE 

CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-context-support : 4.2.8.RELEASE 

CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-test : 4.2.8.RELEASE 

CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-security-core : 4.0.4.RELEASE 

2016-5007
Spring Security / MVC Path Matching Inconsistency
https://pivotal.io/security/cve-2016-5007
Affected versions: <=4.1.0.RELEASE
Mute this security issue
tomcat-catalina : 7.0.69 

2016-3092
Apache Commons Fileupload: Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=1349475
http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
http://tomcat.apache.org/security.html
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Affected versions: <=9.0.0.M7,9 && <=8.5.2,8.5 && <=8.0.35,8.0 && <=7.0.69,7



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)