You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Arina Ielchiieva (Jira)" <ji...@apache.org> on 2019/11/04 12:49:00 UTC
[jira] [Updated] (DRILL-7162) Apache Drill uses
3rd Party with Highest CVEs
[ https://issues.apache.org/jira/browse/DRILL-7162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arina Ielchiieva updated DRILL-7162:
------------------------------------
Fix Version/s: (was: 1.17.0)
> <SECURITY ISSUE> Apache Drill uses 3rd Party with Highest CVEs
> --------------------------------------------------------------
>
> Key: DRILL-7162
> URL: https://issues.apache.org/jira/browse/DRILL-7162
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.13.0, 1.14.0, 1.15.0
> Reporter: Ayush Sharma
> Priority: Major
> Attachments: Jars.xlsx
>
>
> Apache Drill uses 3rd party libraries with almost 250+ CVEs.
> Most of the CVEs are in the older version of Jetty (9.1.x) whereas the current version of Jetty is 9.4.x
> Also many of the other libraries are in EOF versions and the are not patched even in the latest release.
> This creates an issue of security when we use it in production.
> We are able to replace many older version of libraries with the latest versions with no CVEs , however many of them are not replaceable as it is and would require some changes in the source code.
> The jetty version is of the highest priority and needs migration to 9.4.x version immediately.
>
> Please look into this issue at immediate priority as it compromises with the security of the application utilizing Apache Drill.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)