You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "XuCongying (Jira)" <ji...@apache.org> on 2020/03/03 09:06:00 UTC

[jira] [Created] (AMBARI-25490) CVEs in the dependencies are in the execution path of your project

XuCongying created AMBARI-25490:
-----------------------------------

             Summary: CVEs in the dependencies are in the execution path of your project
                 Key: AMBARI-25490
                 URL: https://issues.apache.org/jira/browse/AMBARI-25490
             Project: Ambari
          Issue Type: Bug
            Reporter: XuCongying


Hello, Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Here is the details:
 # *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.2

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[]), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  ambari-server/src/main/java/org/apache/ambari/server/credentialapi/CredentialUtil.java

 *** One of the possible call chain:
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. From 2.7.2 to 3.2.1, 3 of the APIs (called by 6 times in your project) were modified.

 ## *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.2.0

 ** *Call Chain to Buggy Methods:*

 *** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 **** Files in your project:  contrib/ambari-scom/metrics-sink/src/main/java/org/apache/hadoop/metrics2/sink/SqlSink.java

 **** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 *** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. From 2.2.0 to 3.2.1, 1 of the APIs (called by 2 times in your project) was modified.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)