You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "Vitalii Diravka (JIRA)" <ji...@apache.org> on 2019/04/09 14:36:00 UTC

[jira] [Comment Edited] (DRILL-7162) Apache Drill uses 3rd Party with Highest CVEs

    [ https://issues.apache.org/jira/browse/DRILL-7162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813486#comment-16813486 ] 

Vitalii Diravka edited comment on DRILL-7162 at 4/9/19 2:35 PM:
----------------------------------------------------------------

Jetty version is updated in latest master version to 9.3, see DRILL-7051. There an issue with Jetty 9.4 version, see DRILL-7135.
 [~er.ayushsharma@gmail.com] Regarding other CVEs, if you are able to fix them please open the PRs.
 Thanks 


was (Author: vitalii):
Jetty version is updated in latest master version to 9.3, see DRILL-7051. There an issue with Jetty 9.4 version, see DRILL-7135.
[~er.ayushsharma@gmail.com] Regarding other CVEs, please publish here the list and if you are able to fix them please open the PRs.
Thanks 

> <SECURITY ISSUE> Apache Drill uses 3rd Party with Highest CVEs
> --------------------------------------------------------------
>
>                 Key: DRILL-7162
>                 URL: https://issues.apache.org/jira/browse/DRILL-7162
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.13.0, 1.14.0, 1.15.0
>            Reporter: Ayush Sharma
>            Priority: Major
>
> Apache Drill uses rd party libraries with almost 250+ CVEs.
> Most of the CVEs are in the older version of Jetty (9.1.x) whereas the current version of Jetty is 9.4.x
> Also many of the other libraries are in EOF versions and the are not patched even in the latest release.
> This creates an issue of security when we use it in production.
> We are able to replace many older version of libraries with the latest versions with no CVEs , however many of them are not replaceable as it is and would require some changes in the source code.
> The jetty version is of the highest priority and needs migration to 9.4.x version immediately.
>  
> Please look into this issue at immediate priority as it compromises with the security of the application utilizing Apache Drill.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)