You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "XuCongying (Jira)" <ji...@apache.org> on 2020/03/01 12:58:00 UTC
[jira] [Created] (STORM-3592) Vulnerable dependencies in your project.(CVEs)

XuCongying created STORM-3592:
---------------------------------

             Summary: Vulnerable dependencies in your project.(CVEs)
                 Key: STORM-3592
                 URL: https://issues.apache.org/jira/browse/STORM-3592
             Project: Apache Storm
          Issue Type: Dependency upgrade
            Reporter: XuCongying


Hi,
I found some CVEs in the library dependencies, which may affect the security of your projects. In order to avoid threats, I recommend updating to a safe version. Here is the detailed information:
 
Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.8.5
  CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
  Import Path: external/storm-hdfs/pom.xml, external/storm-hdfs-blobstore/pom.xml, external/storm-blobstore-migration/pom.xml
  Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1

 Vulnerable Library Version: org.eclipse.jetty : jetty-server : 9.4.14.v20181114
  CVE ID: [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247)
  Import Path: examples/storm-loadgen/pom.xml, storm-core/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

 Vulnerable Library Version: org.apache.commons : commons-compress : 1.18
  CVE ID: [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
  Import Path: storm-server/pom.xml, examples/storm-pmml-examples/pom.xml
  Suggested Safe Versions: 1.19, 1.20

 Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.4.14.v20181114
  CVE ID: [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241)
  Import Path: storm-core/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

 Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.11.0.3
  CVE ID: [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
  Import Path: external/storm-kafka-client/pom.xml, external/storm-kafka-client/pom.xml
  Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0

 Vulnerable Library Version: com.google.guava : guava : 17.0
  CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
  Import Path: external/storm-solr/pom.xml, examples/storm-solr-examples/pom.xml
  Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre

 Vulnerable Library Version: com.google.guava : guava : 16.0.1
  CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
  Import Path: sql/storm-sql-runtime/pom.xml, sql/storm-sql-external/storm-sql-hdfs/pom.xml...(The rest of the 17 paths is hidden.)
  Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre

 Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.3
  CVE ID: [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320)
  Import Path: external/storm-hive/pom.xml
  Suggested Safe Versions: 0.12.0, 0.13.0
 Vulnerable Library Version: org.apache.activemq : activemq-client : 5.15.8
  CVE ID: [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
  Import Path: examples/storm-jms-examples/pom.xml
  Suggested Safe Versions: 5.15.10, 5.15.11, 5.15.9

 Vulnerable Library Version: org.apache.solr : solr-core : 5.5.5
  CVE ID: [CVE-2017-3164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164), [CVE-2019-0192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192)
  Import Path: external/storm-solr/pom.xml
  Suggested Safe Versions: 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1

 Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.14
  CVE ID: [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
  Import Path: examples/storm-mqtt-examples/pom.xml
  Suggested Safe Versions: 1.16

 Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.10
  CVE ID: [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
  Import Path: external/storm-mqtt/pom.xml
  Suggested Safe Versions: 1.16

 Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.9.8
  CVE ID: [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-16335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379), [CVE-2019-14540](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540), [CVE-2019-17267](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942)
  Import Path: sql/storm-sql-runtime/pom.xml, external/storm-hbase/pom.xml, external/storm-elasticsearch/pom.xml, external/storm-kafka-migration/pom.xml, external/storm-redis/pom.xml, external/storm-opentsdb/pom.xml, external/storm-kafka-client/pom.xml, storm-webapp/pom.xml
  Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3




--
This message was sent by Atlassian Jira
(v8.3.4#803005)