You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2020/07/29 08:00:04 UTC

[GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

padma81 opened a new issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387


   **BUG REPORT**
   A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image. 
   
   |**Component**|**Current Version**|**CVE**|**Severity**|**Version to be upgraded to**|**References**|
   |-----|----|----|----|-----|-----|
   |Apache log4j|1.2.17|CVE-2017-5645|CRITICAL|2.8.2|https://nvd.nist.gov/vuln/detail/CVE-2017-5645|
   |Apache log4j|1.2.17|CVE-2019-17571|CRITICAL|2.8.2|https://nvd.nist.gov/vuln/detail/CVE-2019-17571<br/>https://logging.apache.org/log4j/1.2/index.html|
   |Java Platform Standard Edition (JRE) (J2RE)|8u102|CVE-2016-5556|CRITICAL|8u241| |
   |Java Platform Standard Edition (JRE) (J2RE)|8u102|CVE-2016-5568|CRITICAL|8u241| |
   |Java Platform Standard Edition (JRE) (J2RE)|8u102|CVE-2016-5582|CRITICAL|8u241| |
   |Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server|9.4.5.v20170502|CVE-2017-7657|CRITICAL|9.4.11|https://www.eclipse.org/jetty/security-reports.html|
   |Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server|9.4.5.v20170502|CVE-2017-7658|CRITICAL|9.4.11|https://www.eclipse.org/jetty/security-reports.html|
   |Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server|9.4.5.v20170502|CVE-2018-12538|CRITICAL|9.4.11|https://www.eclipse.org/jetty/security-reports.html|
   |Netty Project|3.10.1.Final|CVE-2019-20444|CRITICAL|4.1.44.Final|https://github.com/netty/netty/issues/9866<br/>https://github.com/netty/netty/milestone/218?closed=1|
   |Netty Project|3.10.1.Final|CVE-2019-20445|CRITICAL|4.1.44.Final|https://github.com/netty/netty/issues/9861<br/>https://github.com/netty/netty/milestone/218?closed=1|
   |OpenLDAP|2.4.44|CVE-2019-13565|HIGH|2.4.48|https://access.redhat.com/security/cve/CVE-2019-13565<br/>https://bugzilla.redhat.com/show_bug.cgi?id=1730477<br/>https://www.openldap.org/lists/openldap-announce/201907/msg00001.html|
   |Python programming language|2.7.5|CVE-2018-14647|HIGH|2.7.5-86.el7.x86_64|https://access.redhat.com/security/cve/CVE-2018-14647<br/> https://access.redhat.com/errata/RHSA-2019:2030|
   |Python programming language|2.7.5|CVE-2019-10160|CRITICAL|2.7.5-80.el7_6.x86_64|https://access.redhat.com/security/cve/CVE-2019-10160<br/>https://access.redhat.com/errata/RHSA-2019:1587|
   |Python programming language|2.7.5|CVE-2019-16056|HIGH|2.7.5-88.el7.x86_64|https://access.redhat.com/security/cve/CVE-2019-16056<br/>https://access.redhat.com/errata/RHSA-2020:1131|
   |Python programming language|2.7.5|CVE-2019-5010|HIGH|2.7.5-86.el7.x86_64|https://access.redhat.com/security/cve/CVE-2019-5010<br/>https://access.redhat.com/errata/RHSA-2019:2030|
   |Python programming language|2.7.5|CVE-2019-9948|CRITICAL|2.7.5-86.el7 |https://access.redhat.com/security/cve/CVE-2019-9948<br/>https://access.redhat.com/errata/RHSA-2019:2030|
   |avahi|0.6.31|CVE-2017-6519|CRITICAL|0.6.31-20.el7.x86_64|https://access.redhat.com/security/cve/CVE-2017-6519<br/>https://access.redhat.com/errata/RHSA-2020:1176|
   |elfutils|0.176|CVE-2018-16402|CRITICAL|0.176-2.el7|https://access.redhat.com/security/cve/CVE-2018-16402<br/>https://access.redhat.com/errata/RHSA-2019:2197|
   |jackson-databind|2.9.7|CVE-2018-19360|CRITICAL|2.9.8|https://nvd.nist.gov/vuln/detail/CVE-2018-19360<br/>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8| |
   |jackson-databind|2.9.7|CVE-2018-19361|CRITICAL|2.9.8|https://nvd.nist.gov/vuln/detail/CVE-2018-19361<br/>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8|
   |jackson-databind|2.9.7|CVE-2018-19362|CRITICAL|2.9.8|https://nvd.nist.gov/vuln/detail/CVE-2018-19362<br/>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8|
   |jackson-databind|2.9.7|CVE-2019-14379|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14379<br/>https://github.com/FasterXML/jackson-databind/issues/2387|
   |jackson-databind|2.9.7|CVE-2019-14540|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14540<br/>https://github.com/FasterXML/jackson-databind/issues/2410|
   |jackson-databind|2.9.7|CVE-2019-14892|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14892<br/>https://github.com/FasterXML/jackson-databind/issues/2462|
   |jackson-databind|2.9.7|CVE-2019-14893|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-14893<br/>https://github.com/FasterXML/jackson-databind/issues/2469|
   |jackson-databind|2.9.7|CVE-2019-16335|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-16942<br/>https://github.com/FasterXML/jackson-databind/issues/2478|
   |jackson-databind|2.9.7|CVE-2019-16942|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-16942<br/>https://github.com/FasterXML/jackson-databind/issues/2478|
   |jackson-databind|2.9.7|CVE-2019-16943|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-16943<br/>https://github.com/FasterXML/jackson-databind/issues/2478|
   |jackson-databind|2.9.7|CVE-2019-17267|CRITICAL|2.9.10|https://nvd.nist.gov/vuln/detail/CVE-2019-17267<br/>https://github.com/FasterXML/jackson-databind/issues/2460|
   |jackson-databind|2.9.7|CVE-2019-17531|CRITICAL|2.9.10.1|https://nvd.nist.gov/vuln/detail/CVE-2019-17531<br/>https://github.com/FasterXML/jackson-databind/issues/2498|
   |jackson-databind|2.9.7|CVE-2019-20330|CRITICAL|2.9.10.2|https://nvd.nist.gov/vuln/detail/CVE-2019-20330<br/>https://github.com/FasterXML/jackson-databind/issues/2526|
   |jackson-databind|2.9.7|CVE-2020-8840|CRITICAL|2.9.10.3|https://nvd.nist.gov/vuln/detail/CVE-2020-8840<br/>https://github.com/FasterXML/jackson-databind/issues/2620|
   |systemd|219|CVE-2018-15686|CRITICAL|219-67.el7_7.4|https://access.redhat.com/security/cve/CVE-2018-15686<br/>https://access.redhat.com/errata/RHSA-2019:2091|
   |systemd-libs|219|CVE-2018-15686|CRITICAL|219-67.el7_7.4|https://access.redhat.com/security/cve/CVE-2018-15686<br/>https://access.redhat.com/errata/RHSA-2019:2091|
   
   Steps to reproduce the behavior:
   1. Scan the apache/bookkeeper:4.9.2 with the help of a security scanner.
   
   ***Expected behavior***
   The scanner should not report any vulnerabilities, that are already fixed.
   
   ***Screenshots***
   NA
   
   ***Additional context***
   NA


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-706873472


   I am not sure we are going to cut new releases out of branch-4.9.
   It is very old, probably it may have sense to update it on branch-4.10.
   
   
   Btw if there is an interest in making this update let's do it. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] padma81 commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

padma81 commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-704854715


   It would be really helpful if anyone could provide an update on this issue.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] pjfanning commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-1057963446


   would it be possible to remove the usage of log4j v1? - it is end-of-life and has numerous security issues that will not be fixed


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] padma81 commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

padma81 commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-664911429


   Even though, for Java, the upgraded version is mentioned as 8u241, it is better to to upgrade to the latest security fix available.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] pjfanning commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-1057969745


   https://github.com/apache/bookkeeper/pull/2816 seems to sort out log4j - but the latest official release (4.14.4) still has log4jv1 dependency (via slf4j-log4j12) - so maybe a new release is justified
   
   https://repo1.maven.org/maven2/org/apache/bookkeeper/bookkeeper-server/4.14.4/bookkeeper-server-4.14.4.pom


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] padma81 edited a comment on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

padma81 edited a comment on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-664911429


   Even though, for Java, the upgraded version is mentioned as 8u241, it is better to to upgrade to the latest Java 8 security patch available.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] Ghatage edited a comment on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

Ghatage edited a comment on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-706796899


    @eolivelli The requirement for netty is to be at 4.1.44-Final at the least.
   It seems we are already at netty [4.1.50-Final](https://github.com/apache/bookkeeper/blob/41412bc647f94d6e13d8dde6daa3081c010d0806/pom.xml#L153) which happened [just a month ago](https://github.com/apache/bookkeeper/commit/7850554a8349cedf1d9236a242e2f7739b471bc9) so I think we are good on that for future releases. Should I backport these changes to [branch-4.9](https://github.com/apache/bookkeeper/tree/branch-4.9)?
   
   [Same with jackson-databind](https://github.com/apache/bookkeeper/blob/41412bc647f94d6e13d8dde6daa3081c010d0806/pom.xml#L139) dependency.
   
   Also what do you recommend for logging? We use SLF4J over log4j, and even the latest SLF4J is lagging behind at [1.7.30](https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12). I couldn't find the change log for the release either.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-705565348


   In my opinion we should work in these areas:
   - update the base Docker image
   - move to JDK11
   - update jackson-databind dependencies
   - Apache log4j comes from ZooKeeper project probably, but probably we could drop it
   - update Netty to latest version
   
   @nicoloboschi @Ghatage @mino181295  do you have time to pick up this items ? dependency upgrade / docker image upgrades


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] Ghatage commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

Ghatage commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-706796899


    @eolivelli The requirement for netty is to be at 4.1.44-Final at the least.
   It seems we are already at netty [4.1.50-Final](https://github.com/apache/bookkeeper/blob/41412bc647f94d6e13d8dde6daa3081c010d0806/pom.xml#L153) which happened [just a month ago](https://github.com/apache/bookkeeper/commit/7850554a8349cedf1d9236a242e2f7739b471bc9) so I think we are good on that for future releases. Should I backport these changes to [branch-4.9](https://github.com/apache/bookkeeper/tree/branch-4.9)?
    


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-705565348






----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] sijie commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

sijie commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-666025717


   @eolivelli +1 from me. Although we also need to consider that Pulsar is using JDK8.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] ravisharda commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

ravisharda commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-666897995


   Pravega also supports Java 8 as of now. Switching to Java 11 looks good to me, as long as it also continues to work with Java 8. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] jiazhai commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

jiazhai commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-666026605


   +1


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-705573249


   I am trying to upgrade to JDK11 here #2433


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] Ghatage edited a comment on issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Posted by GitBox <gi...@apache.org>.

Ghatage edited a comment on issue #2387:
URL: https://github.com/apache/bookkeeper/issues/2387#issuecomment-706796899


    @eolivelli The requirement for netty is to be at 4.1.44-Final at the least.
   It seems we are already at netty [4.1.50-Final](https://github.com/apache/bookkeeper/blob/41412bc647f94d6e13d8dde6daa3081c010d0806/pom.xml#L153) which happened [just a month ago](https://github.com/apache/bookkeeper/commit/7850554a8349cedf1d9236a242e2f7739b471bc9) so I think we are good on that for future releases. Should I backport these changes to [branch-4.9](https://github.com/apache/bookkeeper/tree/branch-4.9)?
   
   [Same with jackson-databind](https://github.com/apache/bookkeeper/blob/41412bc647f94d6e13d8dde6daa3081c010d0806/pom.xml#L139) dependency.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org