You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by Bradley Parker <br...@ca.ibm.com> on 2019/10/17 19:40:22 UTC
Dependencies used by Drill contain known vulnerabilities
Hello Apache Drill Devs,
We are looking to make use of Apache Drill for a project, as a member of our
product security team I was asked to perform a dependency analysis of Drill.
I identified 24 dependencies with known vulnerabilities using OWASP
Dependency Scan.
I found this in the archives from two years ago
http://mail-archives.apache.org/mod_mbox/drill-dev/201709.mbox/%3Cb4df2a35-121c-11a5-a666-4af7bd98b1db@apache.org%3E
discussing the potential of integrating OWASP into the project.
Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find mention
in Jira of updates to the remaining 22 libraries. Is it reasonable to assume
there is no plan to upgrade at this time then?
I’m more than willing to step up and raise these and future dependency
vulnerabilities I am aware of in Jira to get the discussions started.
I think that is a good place to raise these security issues, and from there the
community can discuss upgrading the affected dependencies, or rule them out as
not applicable.
Thank you for your time,
-Brad
For reference, the list of vulnerabilities identified by the OWASP tool:
Package: avro-1.8.2
Should be: 1.9.0
Max CVE (CVSS): CVE-2018-10237 (5.9)
Complete CVE list:
CVE-2018-10237
Package: commons-beanutils-1.9.2
Should be: 1.9.4
Max CVE (CVSS): CVE-2019-10086 (7.3)
Complete CVE list:
CVE-2019-10086
Package: commons-beanutils-core-1.8.0
Should be: Moved to commons-beanutils
Max CVE (CVSS): CVE-2014-0114 (7.5)
Complete CVE list:
CVE-2014-0114
Package: converter-jackson
Should be: 2.5.0
Max CVE (CVSS): CVE-2018-1000850 (7.5)
Complete CVE list:
CVE-2018-1000850
Package: derby-10.10.2.0
Should be: 10.14.2.0
Max CVE (CVSS): CVE-2015-1832 (9.1)
Complete CVE list:
CVE-2015-1832
CVE-2018-1313
Package: drill-hive-exec-shaded
Should be: New release needed with updated Guava
Max CVE (CVSS): CVE-2018-10237 (7.5)
Complete CVE list:
CVE-2018-10237
Package: drill-java-exec
Should be: New release needed with updated JjQuery and Bootstrap
Max CVE (CVSS): CVE-2019-11358 (6.1)
Complete CVE list:
CVE-2018-14040
CVE-2018-14041
CVE-2018-14042
CVE-2019-8331
CVE-2019-11358
Package: drill-shaded-guava-23
Should be: New release needed with updated Guava
Max CVE (CVSS): CVE-2018-10237 (5.9)
Complete CVE list:
CVE-2018-10237
Package: guava-19.0
Should be: 24.1.1
Max CVE (CVSS): CVE-2018-10237 (5.9)
Complete CVE list:
CVE-2018-10237
Package: hadoop-yarn-common-2.7.4
Should be: 3.2.1
Max CVE (CVSS): CVE-2019-11358 (6.1)
Complete CVE list:
CVE-2012-6708
CVE-2015-9251
CVE-2019-11358
CVE-2010-5312
CVE-2016-7103
Package: hbase-http-2.1.1.jar
Should be: 2.1.4
Max CVE (CVSS): CVE-2019-0212 (7.5)
Complete CVE list:
CVE-2019-0212
Package: httpclient-4.2.5.jar
Should be: 4.3.6
Max CVE (CVSS): CVE-2014-3577 (5.8)
Complete CVE list:
CVE-2014-3577
CVE-2015-5262
Package: jackson-databind-2.9.5
Should be: 2.10.0
Max CVE (CVSS): CVE-2018-14721 (10)
Complete CVE list:
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14540
CVE-2019-14439
CVE-2019-14379
CVE-2018-11307
CVE-2019-12384
CVE-2019-12814
CVE-2019-12086
CVE-2018-12023
CVE-2018-12022
CVE-2018-19362
CVE-2018-19361
CVE-2018-19360
CVE-2018-14721
CVE-2018-14720
CVE-2018-14719
CVE-2018-14718
CVE-2018-1000873
Package: Kafka 0.11.0.1
Should be: 2.1.0
Max CVE (CVSS): CVE-2018-17196 (8.8)
Complete CVE list:
CVE-2018-17196
CVE-2018-1288
CVE-2017-12610
Package: kudu-client-1.3.0.jar
Should be: 1.10.0
Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to
update their netty (this is not unexpected as this CVE is newer)
Max CVE (CVSS): CVE-2015-5237 (8.8)
Complete CVE list:
CVE-2018-10237
CVE-2015-5237
CVE-2019-16869
Package: libfb303-0.9.3.jar
Should be: libthrift 0.12.0
Moved to libthrift
Max CVE (CVSS): CVE-2018-1320 (7.5)
Complete CVE list:
CVE-2018-1320
Package: okhttp-3.3.0
Should be: 3.12.0
Max CVE (CVSS): CVE-2018-20200 (5.9)
Complete CVE list:
CVE-2018-20200
Package: protobuf-java-2.5.0
Should be: 3.4.0
Max CVE (CVSS): CVE-2015-5237 (8.8)
Complete CVE list:
CVE-2015-5237
Package: retrofit-2.1.0
Should be: 2.5.0
Max CVE (CVSS): CVE-2018-1000850 (7.5)
Complete CVE list:
CVE-2018-1000850
Package: scala-library-2.11.0
Should be: 2.11.12
Max CVE (CVSS): CVE-2017-15288 (7.8)
Complete CVE list:
CVE-2017-15288
Package: serializer-2.7.1
Should be: 2.7.2
Max CVE (CVSS): CVE-2014-0107 (7.5)
Complete CVE list:
CVE-2014-0107
Package: xalan-2.7.1
Should be: 2.7.2
Max CVE (CVSS): CVE-2014-0107 (7.5)
Complete CVE list:
CVE-2014-0107
Package: xercesImpl-2.11.0
Should be: 2.12.0
Max CVE (CVSS): CVE-2012-0881 (7.5)
Complete CVE list:
CVE-2012-0881
Package: zookeeper-3.4.12.
Should be: 3.4.14
Max CVE (CVSS): CVE-2019-0201 (5.9)
Complete CVE list:
CVE-2019-0201
Re: Dependencies used by Drill contain known vulnerabilities
Posted by Charles Givre <cg...@gmail.com>.
Good question. I'd suggest creating one, and if issues arise in the process, create a separate issue for that. But it seems excessive to create separate issues for each update especially if all you are doing is updating a pom file. That's just my .02.
-- C
> On Oct 18, 2019, at 11:59 AM, Bradley Parker <br...@ca.ibm.com> wrote:
>
> Thank you Charles, will do. Is it more appropriate to open one JIRA for all the packages or to break each package into a separate issue?
>
> -Brad
>
> -----Charles Givre <cg...@gmail.com> wrote: -----
> To: dev@drill.apache.org
> From: Charles Givre <cg...@gmail.com>
> Date: 10/17/2019 04:57PM
> Cc: Glen Bizeau <Gl...@ca.ibm.com>, Sean Peppard <Se...@ca.ibm.com>
> Subject: [EXTERNAL] Re: Dependencies used by Drill contain known vulnerabilities
>
> HI Brad,
> Thanks for your interest in Drill. Can you please create a JIRA (issues.apache.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__issues.apache.org_&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=hsBDWgqUN16IByrh81JE1VQ3XJqGyuoBQmD8uAV4Rng&m=H9jTPsQZwIWD4ceIRB0dLwxapVuh3uL9ZJZE6101xLg&s=WA1z2Z2XlMfr9fX247y4RD4Q3QmXmN0nE1xWr4dwinA&e= >) and start the discussion.
> Thanks,
> -- C
>
>> On Oct 17, 2019, at 3:40 PM, Bradley Parker <br...@ca.ibm.com> wrote:
>>
>> Hello Apache Drill Devs,
>>
>> We are looking to make use of Apache Drill for a project, as a member of our
>> product security team I was asked to perform a dependency analysis of Drill.
>> I identified 24 dependencies with known vulnerabilities using OWASP
>> Dependency Scan.
>>
>>
>> I found this in the archives from two years ago
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail-2Darchives.apache.org_mod-5Fmbox_drill-2Ddev_201709.mbox_-253Cb4df2a35-2D121c-2D11a5-2Da666-2D4af7bd98b1db-40apache.org-253E&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=hsBDWgqUN16IByrh81JE1VQ3XJqGyuoBQmD8uAV4Rng&m=H9jTPsQZwIWD4ceIRB0dLwxapVuh3uL9ZJZE6101xLg&s=IqIyU0LrcQNtu_EpyatX56_ZawBUPxgU1my6Y721l48&e=
>> discussing the potential of integrating OWASP into the project.
>>
>>
>> Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find mention
>> in Jira of updates to the remaining 22 libraries. Is it reasonable to assume
>> there is no plan to upgrade at this time then?
>>
>>
>> I’m more than willing to step up and raise these and future dependency
>> vulnerabilities I am aware of in Jira to get the discussions started.
>> I think that is a good place to raise these security issues, and from there the
>> community can discuss upgrading the affected dependencies, or rule them out as
>> not applicable.
>>
>>
>> Thank you for your time,
>> -Brad
>>
>>
>>
>> For reference, the list of vulnerabilities identified by the OWASP tool:
>>
>>
>> Package: avro-1.8.2
>> Should be: 1.9.0
>> Max CVE (CVSS): CVE-2018-10237 (5.9)
>> Complete CVE list:
>> CVE-2018-10237
>>
>>
>> Package: commons-beanutils-1.9.2
>> Should be: 1.9.4
>> Max CVE (CVSS): CVE-2019-10086 (7.3)
>> Complete CVE list:
>> CVE-2019-10086
>>
>>
>> Package: commons-beanutils-core-1.8.0
>> Should be: Moved to commons-beanutils
>> Max CVE (CVSS): CVE-2014-0114 (7.5)
>> Complete CVE list:
>> CVE-2014-0114
>>
>>
>> Package: converter-jackson
>> Should be: 2.5.0
>> Max CVE (CVSS): CVE-2018-1000850 (7.5)
>> Complete CVE list:
>> CVE-2018-1000850
>>
>>
>> Package: derby-10.10.2.0
>> Should be: 10.14.2.0
>> Max CVE (CVSS): CVE-2015-1832 (9.1)
>> Complete CVE list:
>> CVE-2015-1832
>> CVE-2018-1313
>>
>>
>> Package: drill-hive-exec-shaded
>> Should be: New release needed with updated Guava
>> Max CVE (CVSS): CVE-2018-10237 (7.5)
>> Complete CVE list:
>> CVE-2018-10237
>>
>>
>> Package: drill-java-exec
>> Should be: New release needed with updated JjQuery and Bootstrap
>> Max CVE (CVSS): CVE-2019-11358 (6.1)
>> Complete CVE list:
>> CVE-2018-14040
>> CVE-2018-14041
>> CVE-2018-14042
>> CVE-2019-8331
>> CVE-2019-11358
>>
>>
>> Package: drill-shaded-guava-23
>> Should be: New release needed with updated Guava
>> Max CVE (CVSS): CVE-2018-10237 (5.9)
>> Complete CVE list:
>> CVE-2018-10237
>>
>>
>> Package: guava-19.0
>> Should be: 24.1.1
>> Max CVE (CVSS): CVE-2018-10237 (5.9)
>> Complete CVE list:
>> CVE-2018-10237
>>
>>
>> Package: hadoop-yarn-common-2.7.4
>> Should be: 3.2.1
>> Max CVE (CVSS): CVE-2019-11358 (6.1)
>> Complete CVE list:
>> CVE-2012-6708
>> CVE-2015-9251
>> CVE-2019-11358
>> CVE-2010-5312
>> CVE-2016-7103
>>
>>
>> Package: hbase-http-2.1.1.jar
>> Should be: 2.1.4
>> Max CVE (CVSS): CVE-2019-0212 (7.5)
>> Complete CVE list:
>> CVE-2019-0212
>>
>>
>> Package: httpclient-4.2.5.jar
>> Should be: 4.3.6
>> Max CVE (CVSS): CVE-2014-3577 (5.8)
>> Complete CVE list:
>> CVE-2014-3577
>> CVE-2015-5262
>>
>>
>> Package: jackson-databind-2.9.5
>> Should be: 2.10.0
>> Max CVE (CVSS): CVE-2018-14721 (10)
>> Complete CVE list:
>> CVE-2019-17267
>> CVE-2019-16943
>> CVE-2019-16942
>> CVE-2019-16335
>> CVE-2019-14540
>> CVE-2019-14439
>> CVE-2019-14379
>> CVE-2018-11307
>> CVE-2019-12384
>> CVE-2019-12814
>> CVE-2019-12086
>> CVE-2018-12023
>> CVE-2018-12022
>> CVE-2018-19362
>> CVE-2018-19361
>> CVE-2018-19360
>> CVE-2018-14721
>> CVE-2018-14720
>> CVE-2018-14719
>> CVE-2018-14718
>> CVE-2018-1000873
>>
>>
>> Package: Kafka 0.11.0.1
>> Should be: 2.1.0
>> Max CVE (CVSS): CVE-2018-17196 (8.8)
>> Complete CVE list:
>> CVE-2018-17196
>> CVE-2018-1288
>> CVE-2017-12610
>>
>>
>> Package: kudu-client-1.3.0.jar
>> Should be: 1.10.0
>> Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to
>> update their netty (this is not unexpected as this CVE is newer)
>> Max CVE (CVSS): CVE-2015-5237 (8.8)
>> Complete CVE list:
>> CVE-2018-10237
>> CVE-2015-5237
>> CVE-2019-16869
>>
>>
>> Package: libfb303-0.9.3.jar
>> Should be: libthrift 0.12.0
>> Moved to libthrift
>> Max CVE (CVSS): CVE-2018-1320 (7.5)
>> Complete CVE list:
>> CVE-2018-1320
>>
>>
>> Package: okhttp-3.3.0
>> Should be: 3.12.0
>> Max CVE (CVSS): CVE-2018-20200 (5.9)
>> Complete CVE list:
>> CVE-2018-20200
>>
>>
>> Package: protobuf-java-2.5.0
>> Should be: 3.4.0
>> Max CVE (CVSS): CVE-2015-5237 (8.8)
>> Complete CVE list:
>> CVE-2015-5237
>>
>>
>> Package: retrofit-2.1.0
>> Should be: 2.5.0
>> Max CVE (CVSS): CVE-2018-1000850 (7.5)
>> Complete CVE list:
>> CVE-2018-1000850
>>
>>
>> Package: scala-library-2.11.0
>> Should be: 2.11.12
>> Max CVE (CVSS): CVE-2017-15288 (7.8)
>> Complete CVE list:
>> CVE-2017-15288
>>
>>
>> Package: serializer-2.7.1
>> Should be: 2.7.2
>> Max CVE (CVSS): CVE-2014-0107 (7.5)
>> Complete CVE list:
>> CVE-2014-0107
>>
>>
>> Package: xalan-2.7.1
>> Should be: 2.7.2
>> Max CVE (CVSS): CVE-2014-0107 (7.5)
>> Complete CVE list:
>> CVE-2014-0107
>>
>>
>> Package: xercesImpl-2.11.0
>> Should be: 2.12.0
>> Max CVE (CVSS): CVE-2012-0881 (7.5)
>> Complete CVE list:
>> CVE-2012-0881
>>
>>
>> Package: zookeeper-3.4.12.
>> Should be: 3.4.14
>> Max CVE (CVSS): CVE-2019-0201 (5.9)
>> Complete CVE list:
>> CVE-2019-0201
>>
>
>
RE: Dependencies used by Drill contain known vulnerabilities
Posted by Bradley Parker <br...@ca.ibm.com>.
Thank you Charles, will do. Is it more appropriate to open one JIRA for all the packages or to break each package into a separate issue?
-Brad
-----Charles Givre <cg...@gmail.com> wrote: -----
To: dev@drill.apache.org
From: Charles Givre <cg...@gmail.com>
Date: 10/17/2019 04:57PM
Cc: Glen Bizeau <Gl...@ca.ibm.com>, Sean Peppard <Se...@ca.ibm.com>
Subject: [EXTERNAL] Re: Dependencies used by Drill contain known vulnerabilities
HI Brad,
Thanks for your interest in Drill. Can you please create a JIRA (issues.apache.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__issues.apache.org_&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=hsBDWgqUN16IByrh81JE1VQ3XJqGyuoBQmD8uAV4Rng&m=H9jTPsQZwIWD4ceIRB0dLwxapVuh3uL9ZJZE6101xLg&s=WA1z2Z2XlMfr9fX247y4RD4Q3QmXmN0nE1xWr4dwinA&e= >) and start the discussion.
Thanks,
-- C
> On Oct 17, 2019, at 3:40 PM, Bradley Parker <br...@ca.ibm.com> wrote:
>
> Hello Apache Drill Devs,
>
> We are looking to make use of Apache Drill for a project, as a member of our
> product security team I was asked to perform a dependency analysis of Drill.
> I identified 24 dependencies with known vulnerabilities using OWASP
> Dependency Scan.
>
>
> I found this in the archives from two years ago
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail-2Darchives.apache.org_mod-5Fmbox_drill-2Ddev_201709.mbox_-253Cb4df2a35-2D121c-2D11a5-2Da666-2D4af7bd98b1db-40apache.org-253E&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=hsBDWgqUN16IByrh81JE1VQ3XJqGyuoBQmD8uAV4Rng&m=H9jTPsQZwIWD4ceIRB0dLwxapVuh3uL9ZJZE6101xLg&s=IqIyU0LrcQNtu_EpyatX56_ZawBUPxgU1my6Y721l48&e=
> discussing the potential of integrating OWASP into the project.
>
>
> Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find mention
> in Jira of updates to the remaining 22 libraries. Is it reasonable to assume
> there is no plan to upgrade at this time then?
>
>
> I’m more than willing to step up and raise these and future dependency
> vulnerabilities I am aware of in Jira to get the discussions started.
> I think that is a good place to raise these security issues, and from there the
> community can discuss upgrading the affected dependencies, or rule them out as
> not applicable.
>
>
> Thank you for your time,
> -Brad
>
>
>
> For reference, the list of vulnerabilities identified by the OWASP tool:
>
>
> Package: avro-1.8.2
> Should be: 1.9.0
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: commons-beanutils-1.9.2
> Should be: 1.9.4
> Max CVE (CVSS): CVE-2019-10086 (7.3)
> Complete CVE list:
> CVE-2019-10086
>
>
> Package: commons-beanutils-core-1.8.0
> Should be: Moved to commons-beanutils
> Max CVE (CVSS): CVE-2014-0114 (7.5)
> Complete CVE list:
> CVE-2014-0114
>
>
> Package: converter-jackson
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list:
> CVE-2018-1000850
>
>
> Package: derby-10.10.2.0
> Should be: 10.14.2.0
> Max CVE (CVSS): CVE-2015-1832 (9.1)
> Complete CVE list:
> CVE-2015-1832
> CVE-2018-1313
>
>
> Package: drill-hive-exec-shaded
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (7.5)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: drill-java-exec
> Should be: New release needed with updated JjQuery and Bootstrap
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list:
> CVE-2018-14040
> CVE-2018-14041
> CVE-2018-14042
> CVE-2019-8331
> CVE-2019-11358
>
>
> Package: drill-shaded-guava-23
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: guava-19.0
> Should be: 24.1.1
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: hadoop-yarn-common-2.7.4
> Should be: 3.2.1
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list:
> CVE-2012-6708
> CVE-2015-9251
> CVE-2019-11358
> CVE-2010-5312
> CVE-2016-7103
>
>
> Package: hbase-http-2.1.1.jar
> Should be: 2.1.4
> Max CVE (CVSS): CVE-2019-0212 (7.5)
> Complete CVE list:
> CVE-2019-0212
>
>
> Package: httpclient-4.2.5.jar
> Should be: 4.3.6
> Max CVE (CVSS): CVE-2014-3577 (5.8)
> Complete CVE list:
> CVE-2014-3577
> CVE-2015-5262
>
>
> Package: jackson-databind-2.9.5
> Should be: 2.10.0
> Max CVE (CVSS): CVE-2018-14721 (10)
> Complete CVE list:
> CVE-2019-17267
> CVE-2019-16943
> CVE-2019-16942
> CVE-2019-16335
> CVE-2019-14540
> CVE-2019-14439
> CVE-2019-14379
> CVE-2018-11307
> CVE-2019-12384
> CVE-2019-12814
> CVE-2019-12086
> CVE-2018-12023
> CVE-2018-12022
> CVE-2018-19362
> CVE-2018-19361
> CVE-2018-19360
> CVE-2018-14721
> CVE-2018-14720
> CVE-2018-14719
> CVE-2018-14718
> CVE-2018-1000873
>
>
> Package: Kafka 0.11.0.1
> Should be: 2.1.0
> Max CVE (CVSS): CVE-2018-17196 (8.8)
> Complete CVE list:
> CVE-2018-17196
> CVE-2018-1288
> CVE-2017-12610
>
>
> Package: kudu-client-1.3.0.jar
> Should be: 1.10.0
> Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to
> update their netty (this is not unexpected as this CVE is newer)
> Max CVE (CVSS): CVE-2015-5237 (8.8)
> Complete CVE list:
> CVE-2018-10237
> CVE-2015-5237
> CVE-2019-16869
>
>
> Package: libfb303-0.9.3.jar
> Should be: libthrift 0.12.0
> Moved to libthrift
> Max CVE (CVSS): CVE-2018-1320 (7.5)
> Complete CVE list:
> CVE-2018-1320
>
>
> Package: okhttp-3.3.0
> Should be: 3.12.0
> Max CVE (CVSS): CVE-2018-20200 (5.9)
> Complete CVE list:
> CVE-2018-20200
>
>
> Package: protobuf-java-2.5.0
> Should be: 3.4.0
> Max CVE (CVSS): CVE-2015-5237 (8.8)
> Complete CVE list:
> CVE-2015-5237
>
>
> Package: retrofit-2.1.0
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list:
> CVE-2018-1000850
>
>
> Package: scala-library-2.11.0
> Should be: 2.11.12
> Max CVE (CVSS): CVE-2017-15288 (7.8)
> Complete CVE list:
> CVE-2017-15288
>
>
> Package: serializer-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list:
> CVE-2014-0107
>
>
> Package: xalan-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list:
> CVE-2014-0107
>
>
> Package: xercesImpl-2.11.0
> Should be: 2.12.0
> Max CVE (CVSS): CVE-2012-0881 (7.5)
> Complete CVE list:
> CVE-2012-0881
>
>
> Package: zookeeper-3.4.12.
> Should be: 3.4.14
> Max CVE (CVSS): CVE-2019-0201 (5.9)
> Complete CVE list:
> CVE-2019-0201
>
Re: Dependencies used by Drill contain known vulnerabilities
Posted by Charles Givre <cg...@gmail.com>.
HI Brad,
Thanks for your interest in Drill. Can you please create a JIRA (issues.apache.org <http://issues.apache.org/>) and start the discussion.
Thanks,
-- C
> On Oct 17, 2019, at 3:40 PM, Bradley Parker <br...@ca.ibm.com> wrote:
>
> Hello Apache Drill Devs,
>
> We are looking to make use of Apache Drill for a project, as a member of our
> product security team I was asked to perform a dependency analysis of Drill.
> I identified 24 dependencies with known vulnerabilities using OWASP
> Dependency Scan.
>
>
> I found this in the archives from two years ago
> http://mail-archives.apache.org/mod_mbox/drill-dev/201709.mbox/%3Cb4df2a35-121c-11a5-a666-4af7bd98b1db@apache.org%3E
> discussing the potential of integrating OWASP into the project.
>
>
> Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find mention
> in Jira of updates to the remaining 22 libraries. Is it reasonable to assume
> there is no plan to upgrade at this time then?
>
>
> I’m more than willing to step up and raise these and future dependency
> vulnerabilities I am aware of in Jira to get the discussions started.
> I think that is a good place to raise these security issues, and from there the
> community can discuss upgrading the affected dependencies, or rule them out as
> not applicable.
>
>
> Thank you for your time,
> -Brad
>
>
>
> For reference, the list of vulnerabilities identified by the OWASP tool:
>
>
> Package: avro-1.8.2
> Should be: 1.9.0
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: commons-beanutils-1.9.2
> Should be: 1.9.4
> Max CVE (CVSS): CVE-2019-10086 (7.3)
> Complete CVE list:
> CVE-2019-10086
>
>
> Package: commons-beanutils-core-1.8.0
> Should be: Moved to commons-beanutils
> Max CVE (CVSS): CVE-2014-0114 (7.5)
> Complete CVE list:
> CVE-2014-0114
>
>
> Package: converter-jackson
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list:
> CVE-2018-1000850
>
>
> Package: derby-10.10.2.0
> Should be: 10.14.2.0
> Max CVE (CVSS): CVE-2015-1832 (9.1)
> Complete CVE list:
> CVE-2015-1832
> CVE-2018-1313
>
>
> Package: drill-hive-exec-shaded
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (7.5)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: drill-java-exec
> Should be: New release needed with updated JjQuery and Bootstrap
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list:
> CVE-2018-14040
> CVE-2018-14041
> CVE-2018-14042
> CVE-2019-8331
> CVE-2019-11358
>
>
> Package: drill-shaded-guava-23
> Should be: New release needed with updated Guava
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: guava-19.0
> Should be: 24.1.1
> Max CVE (CVSS): CVE-2018-10237 (5.9)
> Complete CVE list:
> CVE-2018-10237
>
>
> Package: hadoop-yarn-common-2.7.4
> Should be: 3.2.1
> Max CVE (CVSS): CVE-2019-11358 (6.1)
> Complete CVE list:
> CVE-2012-6708
> CVE-2015-9251
> CVE-2019-11358
> CVE-2010-5312
> CVE-2016-7103
>
>
> Package: hbase-http-2.1.1.jar
> Should be: 2.1.4
> Max CVE (CVSS): CVE-2019-0212 (7.5)
> Complete CVE list:
> CVE-2019-0212
>
>
> Package: httpclient-4.2.5.jar
> Should be: 4.3.6
> Max CVE (CVSS): CVE-2014-3577 (5.8)
> Complete CVE list:
> CVE-2014-3577
> CVE-2015-5262
>
>
> Package: jackson-databind-2.9.5
> Should be: 2.10.0
> Max CVE (CVSS): CVE-2018-14721 (10)
> Complete CVE list:
> CVE-2019-17267
> CVE-2019-16943
> CVE-2019-16942
> CVE-2019-16335
> CVE-2019-14540
> CVE-2019-14439
> CVE-2019-14379
> CVE-2018-11307
> CVE-2019-12384
> CVE-2019-12814
> CVE-2019-12086
> CVE-2018-12023
> CVE-2018-12022
> CVE-2018-19362
> CVE-2018-19361
> CVE-2018-19360
> CVE-2018-14721
> CVE-2018-14720
> CVE-2018-14719
> CVE-2018-14718
> CVE-2018-1000873
>
>
> Package: Kafka 0.11.0.1
> Should be: 2.1.0
> Max CVE (CVSS): CVE-2018-17196 (8.8)
> Complete CVE list:
> CVE-2018-17196
> CVE-2018-1288
> CVE-2017-12610
>
>
> Package: kudu-client-1.3.0.jar
> Should be: 1.10.0
> Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to
> update their netty (this is not unexpected as this CVE is newer)
> Max CVE (CVSS): CVE-2015-5237 (8.8)
> Complete CVE list:
> CVE-2018-10237
> CVE-2015-5237
> CVE-2019-16869
>
>
> Package: libfb303-0.9.3.jar
> Should be: libthrift 0.12.0
> Moved to libthrift
> Max CVE (CVSS): CVE-2018-1320 (7.5)
> Complete CVE list:
> CVE-2018-1320
>
>
> Package: okhttp-3.3.0
> Should be: 3.12.0
> Max CVE (CVSS): CVE-2018-20200 (5.9)
> Complete CVE list:
> CVE-2018-20200
>
>
> Package: protobuf-java-2.5.0
> Should be: 3.4.0
> Max CVE (CVSS): CVE-2015-5237 (8.8)
> Complete CVE list:
> CVE-2015-5237
>
>
> Package: retrofit-2.1.0
> Should be: 2.5.0
> Max CVE (CVSS): CVE-2018-1000850 (7.5)
> Complete CVE list:
> CVE-2018-1000850
>
>
> Package: scala-library-2.11.0
> Should be: 2.11.12
> Max CVE (CVSS): CVE-2017-15288 (7.8)
> Complete CVE list:
> CVE-2017-15288
>
>
> Package: serializer-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list:
> CVE-2014-0107
>
>
> Package: xalan-2.7.1
> Should be: 2.7.2
> Max CVE (CVSS): CVE-2014-0107 (7.5)
> Complete CVE list:
> CVE-2014-0107
>
>
> Package: xercesImpl-2.11.0
> Should be: 2.12.0
> Max CVE (CVSS): CVE-2012-0881 (7.5)
> Complete CVE list:
> CVE-2012-0881
>
>
> Package: zookeeper-3.4.12.
> Should be: 3.4.14
> Max CVE (CVSS): CVE-2019-0201 (5.9)
> Complete CVE list:
> CVE-2019-0201
>