You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@carbondata.apache.org by "XuCongying (Jira)" <ji...@apache.org> on 2020/03/02 15:39:00 UTC

[jira] [Commented] (CARBONDATA-3729) Please avoid using libraries with CVEs

    [ https://issues.apache.org/jira/browse/CARBONDATA-3729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049326#comment-17049326 ] 

XuCongying commented on CARBONDATA-3729:
----------------------------------------

I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Here is the detailed information:
 * *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.2

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java, core/src/main/java/org/apache/carbondata/core/datastore/impl/FileFactory.java

 *** One of the possible call chain:
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.get(java.net.URI,org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.getDefaultUri(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.security.UserGroupInformation.getCurrentUser(), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  processing/src/main/java/org/apache/carbondata/processing/util/Auditor.java, common/src/main/java/org/apache/carbondata/common/logging/LogService.java, 

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getCurrentUser()
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.security.UserGroupInformation.getLoginUser(), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  core/src/main/java/org/apache/carbondata/core/util/CarbonUtil.java

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  processing/src/main/java/org/apache/carbondata/processing/loading/jsoninput/JsonInputFormat.java, core/src/main/java/org/apache/carbondata/core/datamap/DataMapUtil.java, core/src/main/java/org/apache/carbondata/core/util/CarbonProperties.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. From 2.7.2 to 3.2.1, 20 of the APIs (called by 81 times in your project) were modified.

 ** Files in your project:   processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java, processing/src/main/java/org/apache/carbondata/processing/loading/jsoninput/JsonInputFormat.java  * One of the possible call chain: {{org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean)
    org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
    org.apache.hadoop.conf.Configuration.get(java.lang.String)
    org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]}}

 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

> Please avoid using libraries with CVEs
> --------------------------------------
>
>                 Key: CARBONDATA-3729
>                 URL: https://issues.apache.org/jira/browse/CARBONDATA-3729
>             Project: CarbonData
>          Issue Type: Bug
>            Reporter: XuCongying
>            Priority: Major
>
> Hi, I noticed that your project are using vulnerable libraries which are related to some CVEs. To prevent potential security risks it may cause, I suggest to update the library dependency. See below for more details:
>  
> Vulnerable Library Version: org.scala-lang : scala-compiler : 2.11.8
>   CVE ID: [CVE-2017-15288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15288)
>   Import Path: integration/spark-common/pom.xml
>   Suggested Safe Versions: 2.11.12, 2.12.10, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.13.0, 2.13.0-M1, 2.13.0-M2, 2.13.0-M3, 2.13.0-M3-f73b161, 2.13.0-M4, 2.13.0-M4-pre-20d3c21, 2.13.0-M5, 2.13.0-M5-1775dba, 2.13.0-M5-5eef812, 2.13.0-M5-6e0cba7, 2.13.0-RC1, 2.13.0-RC2, 2.13.0-RC3, 2.13.1
>  Vulnerable Library Version: org.apache.lucene : lucene-queryparser : 6.3.0
>   CVE ID: [CVE-2017-12629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629)
>   Import Path: datamap/lucene/pom.xml
>   Suggested Safe Versions: 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
>  Vulnerable Library Version: org.apache.hive : hive-service : 1.2.1
>   CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
>   Import Path: integration/hive/pom.xml
>   Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>  Vulnerable Library Version: com.google.guava : guava : 14.0.1
>   CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
>   Import Path: datamap/bloom/pom.xml
>   Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>  Vulnerable Library Version: org.apache.hive : hive-exec : 1.2.1
>   CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
>   Import Path: integration/hive/pom.xml
>   Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>  Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.3.4
>   CVE ID: [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678), [CVE-2018-3826](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3826), [CVE-2018-11770](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11770)
>   Import Path: examples/spark2/pom.xml, integration/spark-common-test/pom.xml, integration/presto/pom.xml, integration/spark2/pom.xml, datamap/mv/core/pom.xml, datamap/mv/plan/pom.xml
>   Suggested Safe Versions: 2.4.5
>  Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.4.4
>   CVE ID: [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678)
>   Import Path: integration/spark2/pom.xml, datamap/mv/plan/pom.xml
>   Suggested Safe Versions: 2.4.5
>  Vulnerable Library Version: org.apache.lucene : lucene-core : 6.3.0
>   CVE ID: [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163)
>   Import Path: datamap/lucene/pom.xml
>   Suggested Safe Versions: 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
>  Vulnerable Library Version: org.apache.hive : hive-jdbc : 1.2.1
>   CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1282](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282)
>   Import Path: integration/hive/pom.xml
>   Suggested Safe Versions: 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>  Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.3
>   CVE ID: [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320)
>   Import Path: format/pom.xml
>   Suggested Safe Versions: 0.12.0, 0.13.0
>  Vulnerable Library Version: org.apache.hadoop : hadoop-hdfs : 2.7.2
>   CVE ID: [CVE-2018-11768](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768)
>   Import Path: core/pom.xml, processing/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.8.5, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.7
>   CVE ID: [CVE-2018-8012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012), [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201), [CVE-2017-5637](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637)
>   Import Path: core/pom.xml
>   Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7
>  Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.5
>   CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
>   Import Path: integration/flink/pom.xml
>   Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.2
>   CVE ID: [CVE-2016-5393](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5393), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009), [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718), [CVE-2016-3086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3086), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029)
>   Import Path: core/pom.xml, processing/pom.xml, common/pom.xml
>   Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  Vulnerable Library Version: org.apache.httpcomponents : httpclient : 4.3.4
>   CVE ID: [CVE-2014-3577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577), [CVE-2015-5262](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262)
>   Import Path: examples/spark2/pom.xml, integration/hive/pom.xml, integration/spark2/pom.xml, store/sdk/pom.xml
>   Suggested Safe Versions: 4.3.6, 4.4, 4.4-alpha1, 4.4-beta1, 4.4.1, 4.5, 4.5.1, 4.5.10, 4.5.11, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9
>  Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.6.5
>   CVE ID: [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485), [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362), [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307), [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721), [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719), [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2017-15095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095), [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361), [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360), [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942), [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525)
>   Import Path: store/sdk/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3
>  Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.8.1
>   CVE ID: [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485), [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307), [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489), [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2017-15095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379), [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720), [CVE-2018-12023](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023), [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525), [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721), [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718), [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362), [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942)
>   Import Path: integration/presto/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3
>  Vulnerable Library Version: org.apache.solr : solr-core : 6.3.0
>   CVE ID: [CVE-2017-12629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629), [CVE-2018-8010](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010), [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163), [CVE-2017-7660](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7660), [CVE-2017-9803](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9803), [CVE-2017-3164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164), [CVE-2018-8026](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8026), [CVE-2019-0192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192)
>   Import Path: datamap/lucene/pom.xml
>   Suggested Safe Versions: 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1



--
This message was sent by Atlassian Jira
(v8.3.4#803005)