You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by Volodymyr Vysotskyi <vo...@apache.org> on 2018/06/25 10:20:37 UTC
Vulnerabilities in calcite-spark module
Hi all,
I found that a check for vulnerabilities among dependencies fails
for calcite-spark module.
The same problem is observed for 1.16 version.
Should we block the release until this issue is fixed, or fix it after the
release in Calcite 1.18?
Output for "mvn install -Ppedantic -DskipTests=true":
One or more dependencies were identified with known vulnerabilities in
Calcite Spark:
jackson-databind-2.9.4.jar
(com.fasterxml.jackson.core:jackson-databind:2.9.4,
cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) :
CVE-2018-7489
protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
commons-beanutils-core-1.8.0.jar
(commons-beanutils:commons-beanutils-core:1.8.0,
cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
CVE-2015-5262, CVE-2014-3577
javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
CVE-2015-9097
validation-api-1.1.0.Final.jar
(cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2,
javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13)
: CVE-2007-1100
py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) :
CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652,
CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150,
CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143,
CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679,
CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
CVE-2016-5001
curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
CVE-2014-0085
jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) :
CVE-2018-5968, CVE-2017-17485
jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
cpe:/a:jetty:jetty:9.2.19.v20160908,
org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
xalan:serializer:2.7.1) : CVE-2014-0107
xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
CVE-2014-0107
xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
xerces:xercesImpl:2.9.1) : CVE-2012-0881
htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
(com.fasterxml.jackson.core:jackson-databind:2.4.0,
cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) :
CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
(cpe:/a:eclipse:jetty:9.3.11.v20160721,
cpe:/a:jetty:jetty:9.3.11.v20160721,
org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
Kind regards,
Volodymyr Vysotskyi
Re: Vulnerabilities in calcite-spark module
Posted by Кривенко Ігор <kr...@gmail.com>.
Hi all. I've tried to update spark_core version to the latest 2.3.1 version
from maven central, and it still has security vulnerabilities.
пн, 25 июн. 2018 г. в 17:06, Michael Mior <mm...@apache.org>:
> Thanks for noting this. Agreed with Francis that we should fix before the
> release if possible. Hopefully, it's as simple as upgrading the
> dependencies and running tests to ensure no breaking changes have been
> introduced.
> --
> Michael Mior
> mmior@apache.org
>
>
>
> Le lun. 25 juin 2018 à 06:20, Volodymyr Vysotskyi <vo...@apache.org> a
> écrit :
>
> > Hi all,
> >
> > I found that a check for vulnerabilities among dependencies fails
> > for calcite-spark module.
> > The same problem is observed for 1.16 version.
> >
> > Should we block the release until this issue is fixed, or fix it after
> the
> > release in Calcite 1.18?
> >
> > Output for "mvn install -Ppedantic -DskipTests=true":
> > One or more dependencies were identified with known vulnerabilities in
> > Calcite Spark:
> >
> > jackson-databind-2.9.4.jar
> > (com.fasterxml.jackson.core:jackson-databind:2.9.4,
> > cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4)
> :
> > CVE-2018-7489
> > protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
> > cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> > commons-beanutils-core-1.8.0.jar
> > (commons-beanutils:commons-beanutils-core:1.8.0,
> > cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> > commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
> > cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> > commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
> > cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
> > CVE-2015-5262, CVE-2014-3577
> > javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
> > javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> > mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
> > CVE-2015-9097
> > validation-api-1.1.0.Final.jar
> > (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
> > javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> > jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2,
> cpe:/a:oracle:glassfish:2.2.2,
> > javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> > pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13,
> net.razorvine:pyrolite:4.13)
> > : CVE-2007-1100
> > py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
> > cpe:/a:python_software_foundation:python:0.10.4,
> net.sf.py4j:py4j:0.10.4) :
> > CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
> > CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772,
> CVE-2015-5652,
> > CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338,
> CVE-2012-1150,
> > CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983,
> CVE-2008-3143,
> > CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721,
> CVE-2008-1679,
> > CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> > avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
> > org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
> > CVE-2016-5001
> > curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
> > org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> > api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
> > org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> > xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> > zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
> > org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
> > CVE-2014-0085
> > jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
> > cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13)
> :
> > CVE-2018-5968, CVE-2017-17485
> > jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
> > cpe:/a:jetty:jetty:9.2.19.v20160908,
> > org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> > jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
> > cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
> > org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> > unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
> > org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> > xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> > serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
> > xalan:serializer:2.7.1) : CVE-2014-0107
> > xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
> > CVE-2014-0107
> > xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
> > xerces:xercesImpl:2.9.1) : CVE-2012-0881
> >
> >
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > (com.fasterxml.jackson.core:jackson-databind:2.4.0,
> > cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0)
> :
> > CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485,
> CVE-2017-15095
> >
> >
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
> > (cpe:/a:eclipse:jetty:9.3.11.v20160721,
> > cpe:/a:jetty:jetty:9.3.11.v20160721,
> > org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
> >
> > Kind regards,
> > Volodymyr Vysotskyi
> >
>
Re: Vulnerabilities in calcite-spark module
Posted by Michael Mior <mm...@apache.org>.
Thanks for noting this. Agreed with Francis that we should fix before the
release if possible. Hopefully, it's as simple as upgrading the
dependencies and running tests to ensure no breaking changes have been
introduced.
--
Michael Mior
mmior@apache.org
Le lun. 25 juin 2018 à 06:20, Volodymyr Vysotskyi <vo...@apache.org> a
écrit :
> Hi all,
>
> I found that a check for vulnerabilities among dependencies fails
> for calcite-spark module.
> The same problem is observed for 1.16 version.
>
> Should we block the release until this issue is fixed, or fix it after the
> release in Calcite 1.18?
>
> Output for "mvn install -Ppedantic -DskipTests=true":
> One or more dependencies were identified with known vulnerabilities in
> Calcite Spark:
>
> jackson-databind-2.9.4.jar
> (com.fasterxml.jackson.core:jackson-databind:2.9.4,
> cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) :
> CVE-2018-7489
> protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
> cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> commons-beanutils-core-1.8.0.jar
> (commons-beanutils:commons-beanutils-core:1.8.0,
> cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
> cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
> cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
> CVE-2015-5262, CVE-2014-3577
> javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
> javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
> CVE-2015-9097
> validation-api-1.1.0.Final.jar
> (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
> javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2,
> javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13)
> : CVE-2007-1100
> py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
> cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) :
> CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
> CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652,
> CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150,
> CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143,
> CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679,
> CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
> org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
> CVE-2016-5001
> curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
> org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
> org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
> org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
> CVE-2014-0085
> jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
> cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) :
> CVE-2018-5968, CVE-2017-17485
> jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
> cpe:/a:jetty:jetty:9.2.19.v20160908,
> org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
> cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
> org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
> org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
> xalan:serializer:2.7.1) : CVE-2014-0107
> xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
> CVE-2014-0107
> xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
> xerces:xercesImpl:2.9.1) : CVE-2012-0881
>
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (com.fasterxml.jackson.core:jackson-databind:2.4.0,
> cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) :
> CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
>
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
> (cpe:/a:eclipse:jetty:9.3.11.v20160721,
> cpe:/a:jetty:jetty:9.3.11.v20160721,
> org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
>
> Kind regards,
> Volodymyr Vysotskyi
>
Re: Vulnerabilities in calcite-spark module
Posted by Francis Chuang <fr...@apache.org>.
I think it would be a good idea to make this blocking for 1.18.
Can you open a JIRA for this?
Francis
On 25/06/2018 8:20 PM, Volodymyr Vysotskyi wrote:
> Hi all,
>
> I found that a check for vulnerabilities among dependencies fails
> for calcite-spark module.
> The same problem is observed for 1.16 version.
>
> Should we block the release until this issue is fixed, or fix it after the
> release in Calcite 1.18?
>
> Output for "mvn install -Ppedantic -DskipTests=true":
> One or more dependencies were identified with known vulnerabilities in
> Calcite Spark:
>
> jackson-databind-2.9.4.jar
> (com.fasterxml.jackson.core:jackson-databind:2.9.4,
> cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) :
> CVE-2018-7489
> protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
> cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> commons-beanutils-core-1.8.0.jar
> (commons-beanutils:commons-beanutils-core:1.8.0,
> cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
> cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
> cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
> CVE-2015-5262, CVE-2014-3577
> javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
> javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
> CVE-2015-9097
> validation-api-1.1.0.Final.jar
> (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
> javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2,
> javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13)
> : CVE-2007-1100
> py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
> cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) :
> CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
> CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652,
> CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150,
> CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143,
> CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679,
> CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
> org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
> CVE-2016-5001
> curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
> org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
> org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
> org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
> CVE-2014-0085
> jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
> cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) :
> CVE-2018-5968, CVE-2017-17485
> jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
> cpe:/a:jetty:jetty:9.2.19.v20160908,
> org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
> cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
> org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
> org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
> xalan:serializer:2.7.1) : CVE-2014-0107
> xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
> CVE-2014-0107
> xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
> xerces:xercesImpl:2.9.1) : CVE-2012-0881
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (com.fasterxml.jackson.core:jackson-databind:2.4.0,
> cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) :
> CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
> (cpe:/a:eclipse:jetty:9.3.11.v20160721,
> cpe:/a:jetty:jetty:9.3.11.v20160721,
> org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
>
> Kind regards,
> Volodymyr Vysotskyi
>