You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/09/29 10:37:00 UTC

[jira] [Commented] (KYLIN-3605) Fix security issues reported by snyk.io

    [ https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16632932#comment-16632932 ] 

ASF GitHub Bot commented on KYLIN-3605:
---------------------------------------

asfgit commented on issue #276: KYLIN-3605 upgrade hadoop-common and zookeeper version to fix securit…
URL: https://github.com/apache/kylin/pull/276#issuecomment-425635060
 
 
   Can one of the admins verify this patch?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Priority: Major
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1 › commons-configuration:commons-configuration@1.6 › commons-digester:commons-digester@1.8 › commons-beanutils:commons-beanutils@1.7.0
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class property, which allows remote attackers to manipulate the {{ClassLoader}}and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the {{getClass}} method of the {{ActionForm}}object in Struts 1.
>  
> HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty] is an open-source project providing a HTTP server, HTTP client and javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command Execution. It writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.
> HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in NodeManager configs, it may be possible for any Container launched by that NodeManager to gain access to the encryption password. The other passwords themselves are not directly exposed.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)