You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Bradley Parker (Jira)" <ji...@apache.org> on 2019/10/21 14:26:00 UTC

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Bradley Parker created DRILL-7416:
-------------------------------------

             Summary: Updates required to dependencies to resolve potential security vulnerabilities 
                 Key: DRILL-7416
                 URL: https://issues.apache.org/jira/browse/DRILL-7416
             Project: Apache Drill
          Issue Type: Bug
    Affects Versions: 1.16.0
            Reporter: Bradley Parker


After running an OWASP Dependency Check and ruling out false positives, I have found 25 dependencies that should be updated to remove potential vulnerabilities. They are listed alphabetically with their CVE information below.

 

[CVSS scores|[https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System]] represent the severity of a vulnerability on a scale of 1-10, 10 being critical. [CVEs |[https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures]] are public identifiers used to reference known vulnerabilities. 

 

Package: avro-1.8.2
Should be: 1.9.0 (*Existing item at* *DRILL-7302*)
Max CVE (CVSS): CVE-2018-10237 (5.9)
Complete CVE list: CVE-2018-10237

Package: commons-beanutils-1.9.2
Should be: 1.9.4
Max CVE (CVSS): CVE-2019-10086 (7.3)
Complete CVE list: CVE-2019-10086

Package: commons-beanutils-core-1.8.0
Should be: Moved to commons-beanutils
Max CVE (CVSS): CVE-2014-0114 (7.5)
Complete CVE list: CVE-2014-0114Deprecated, replaced by commons-beanutils

Package: converter-jackson
Should be: 2.5.0
Max CVE (CVSS): CVE-2018-1000850 (7.5)
Complete CVE list: CVE-2018-1000850

Package: derby-10.10.2.0
Should be: 10.14.2.0
Max CVE (CVSS): CVE-2015-1832 (9.1)
Complete CVE list: CVE-2015-1832
CVE-2018-1313

Package: drill-hive-exec-shaded
Should be: New release needed with updated Guava
Max CVE (CVSS): CVE-2018-10237 (7.5)
Complete CVE list: CVE-2018-10237

Package: drill-java-exec
Should be: New release needed with updated JjQuery and Bootstrap
Max CVE (CVSS): CVE-2019-11358 (6.1)
Complete CVE list: CVE-2018-14040
CVE-2018-14041 
CVE-2018-14042
CVE-2019-8331
CVE-2019-11358

Package: drill-shaded-guava-23
Should be: New release needed with updated Guava
Max CVE (CVSS): CVE-2018-10237 (5.9)
Complete CVE list: CVE-2018-10237

Package: guava-19.0
Should be: 24.1.1
Max CVE (CVSS): CVE-2018-10237 (5.9)
Complete CVE list: CVE-2018-10237

Package: hadoop-yarn-common-2.7.4
Should be: 3.2.1
Max CVE (CVSS): CVE-2019-11358 (6.1)
Complete CVE list: CVE-2012-6708
CVE-2015-9251
CVE-2019-11358
CVE-2010-5312
CVE-2016-7103

Package: hbase-http-2.1.1.jar 
Should be: 2.1.4
Max CVE (CVSS): CVE-2019-0212 (7.5)
Complete CVE list: CVE-2019-0212

Package: httpclient-4.2.5.jar
Should be: 4.3.6
Max CVE (CVSS): CVE-2014-3577  (5.8)
Complete CVE list: CVE-2014-3577
CVE-2015-5262

Package: jackson-databind-2.9.5
Should be: 2.10.0
Max CVE (CVSS): CVE-2018-14721  (10)
Complete CVE list: CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14540
CVE-2019-14439
CVE-2019-14379
CVE-2018-11307
CVE-2019-12384
CVE-2019-12814
CVE-2019-12086
CVE-2018-12023
CVE-2018-12022
CVE-2018-19362
CVE-2018-19361
CVE-2018-19360
CVE-2018-14721
CVE-2018-14720
CVE-2018-14719
CVE-2018-14718
CVE-2018-1000873

Package: jetty-server-9.3.25.v20180904.jar (*Existing DRILL-7135, but that's to go to 9.4 and it's blocked, we should go to latest 9.3 in the meantime*)
Should be: 9.3.27.v20190418
Max CVE (CVSS): CVE-2017-9735 (7.5)
Complete CVE list: CVE-2017-9735
CVE-2019-10241
CVE-2019-10247

Package: Kafka 0.11.0.1
Should be: 2.2.0 (*Existing item DRILL-6739*)
Max CVE (CVSS): CVE-2018-17196 (8.8)
Complete CVE list: CVE-2018-17196
CVE-2018-1288
CVE-2017-12610

Package: kudu-client-1.3.0.jar 
Should be: 1.10.0
Max CVE (CVSS): CVE-2015-5237  (8.8)
Complete CVE list: CVE-2018-10237
CVE-2015-5237
CVE-2019-16869Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to update their netty (this is not unexpected as this CVE is newer)

Package: libfb303-0.9.3.jar
Should be: 0.12.0
Max CVE (CVSS): CVE-2018-1320 (7.5)
Complete CVE list: CVE-2018-1320Moved to libthrift

Package: okhttp-3.3.0
Should be: 3.12.0
Max CVE (CVSS): CVE-2018-20200 (5.9)
Complete CVE list: CVE-2018-20200

Package: protobuf-java-2.5.0
Should be: 3.4.0
Max CVE (CVSS): CVE-2015-5237  (8.8)
Complete CVE list: CVE-2015-5237 

Package: retrofit-2.1.0
Should be: 2.5.0
Max CVE (CVSS): CVE-2018-1000850 (7.5)
Complete CVE list: CVE-2018-1000850

Package: scala-library-2.11.0
Should be: 2.11.12
Max CVE (CVSS): CVE-2017-15288 (7.8)
Complete CVE list: CVE-2017-15288

Package: serializer-2.7.1
Should be: 2.7.2
Max CVE (CVSS): CVE-2014-0107 (7.5)
Complete CVE list: CVE-2014-0107

Package: xalan-2.7.1
Should be: 2.7.2
Max CVE (CVSS): CVE-2014-0107 (7.5)
Complete CVE list: CVE-2014-0107

Package: xercesImpl-2.11.0
Should be: 2.12.0
Max CVE (CVSS): CVE-2012-0881 (7.5)
Complete CVE list: CVE-2012-0881

Package: zookeeper-3.4.12.
Should be: 3.4.14
Max CVE (CVSS): CVE-2019-0201 (5.9)
Complete CVE list: CVE-2019-0201

 

Additional keywords for searching: Vulnerability, CVE, OWASP, Dependency Check



--
This message was sent by Atlassian Jira
(v8.3.4#803005)