Rendered: https://github.com/trinodb/trino/pull/20739#issuecomment-1952114587
On Mon, Feb 19, 2024 at 10:43 AM Mateusz Gajewski < mateusz.gajew...@starburstdata.com> wrote: > Yeah, attachment was sent but not delivered. > > Inline version > > "avro" "1.7.7" "java-archive" "CVE-2023-39410" "High" "When deserializing > untrusted or corrupted data, it is possible for a reader to consume memory > beyond the allowed constraints and thus lead to out of memory on the > system. This issue affects Java applications using Apache Avro Java SDK up > to and including 1.11.2. Users should update to apache-avro version 1.11.3 > which addresses this issue. " "fixed" "[1.11.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "commons-net" "3.6" "java-archive" "CVE-2021-37533" "Medium" "Prior to > Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV > response by default. A malicious server can redirect the Commons Net code > to use a different host, but the user has to connect to the malicious > server in the first place. This may lead to leakage of information about > services running on the private network of the client. The default in > version 3.9.0 is now false to ignore such hosts, as cURL does. See > https://issues.apache.org/jira/browse/NET-711." "fixed" "[3.9.0]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "hadoop-common" "3.1.4" "java-archive" "CVE-2022-26612" "Critical" "In > Apache Hadoop, The unTar function uses unTarUsingJava function on Windows > and the built-in tar utility on Unix and other OSes. As a result, a TAR > entry may create a symlink under the expected extraction directory which > points to an external directory. A subsequent TAR entry may extract an > arbitrary file into the external directory using the symlink name. This > however would be caught by the same targetDirPath check on Unix because of > the getCanonicalPath call. However on Windows, getCanonicalPath doesn't > resolve symbolic links, which bypasses the check. unpackEntries during TAR > extraction follows symbolic links which allows writing outside expected > base directory on Windows. This was addressed in Apache Hadoop 3.2.3" > "fixed" "[3.2.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "hadoop-common" "3.1.4" "java-archive" "CVE-2022-25168" "Critical" "Apache > Hadoop's FileUtil.unTar(File, File) API does not escape the input file name > before being passed to the shell. An attacker can inject arbitrary > commands. This is only used in Hadoop 3.3 > InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a > local user. It has been used in Hadoop 2.x for yarn localization, which > does enable remote code execution. It is used in Apache Spark, from the SQL > command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the > classpath, being able to execute shell scripts does not confer new > permissions to the caller. SPARK-38305. "Check existence of file before > untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents > shell commands being executed, regardless of which version of the hadoop > libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, > 3.3.3 or upper (including HADOOP-18136)." "fixed" "[3.2.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "hadoop-common" "3.1.4" "java-archive" "CVE-2021-37404" "Critical" "There > is a potential heap buffer overflow in Apache Hadoop libhdfs native code. > Opening a file path provided by user without validation may result in a > denial of service or arbitrary code execution. Users should upgrade to > Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher." "fixed" "[3.2.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "httpclient" "4.5.2" "java-archive" "CVE-2020-13956" "Medium" "Apache > HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret > malformed authority component in request URIs passed to the library as > java.net.URI object and pick the wrong target host for request execution." > "fixed" "[4.5.13]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-9548" "Critical" > "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction > between serialization gadgets and typing, related to > br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)." "fixed" > "[2.7.9.7]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-9547" "Critical" > "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction > between serialization gadgets and typing, related to > com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka > ibatis-sqlmap)." "fixed" "[2.7.9.7]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-8840" "Critical" > "FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain > xbean-reflect/JNDI blocking, as demonstrated by > org.apache.xbean.propertyeditor.JndiConverter." "fixed" "[2.6.7.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-20330" "Critical" > "FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain > net.sf.ehcache blocking." "fixed" "[2.6.7.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-17531" "Critical" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 > through 2.9.10. When Default Typing is enabled (either globally or for a > specific property) for an externally exposed JSON endpoint and the service > has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an > attacker can provide a JNDI service to access, it is possible to make the > service execute a malicious payload." "fixed" "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-17267" "Critical" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind > before 2.9.10. It is related to > net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup." "fixed" > "[2.8.11.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-16943" "Critical" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 > through 2.9.10. When Default Typing is enabled (either globally or for a > specific property) for an externally exposed JSON endpoint and the service > has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI > service endpoint to access, it is possible to make the service execute a > malicious payload. This issue exists because of > com.p6spy.engine.spy.P6DataSource mishandling." "fixed" "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-16942" "Critical" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 > through 2.9.10. When Default Typing is enabled (either globally or for a > specific property) for an externally exposed JSON endpoint and the service > has the commons-dbcp (1.4) jar in the classpath, and an attacker can find > an RMI service endpoint to access, it is possible to make the service > execute a malicious payload. This issue exists because of > org.apache.commons.dbcp.datasources.SharedPoolDataSource and > org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling." > "fixed" "[2.9.10.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-16335" "Critical" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind > before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is > a different vulnerability than CVE-2019-14540." "fixed" "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14892" "Critical" "A > flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 > and 2.6.7.3, where it would permit polymorphic deserialization of a > malicious object using commons-configuration 1 and 2 JNDI classes. An > attacker could use this flaw to execute arbitrary code." "fixed" > "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14540" "Critical" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind > before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig." "fixed" > "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14379" "Critical" > "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 > mishandles default typing when ehcache is used (because of > net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), > leading to remote code execution." "fixed" "[2.7.9.6]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-7489" "Critical" > "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x > before 2.9.5 allows unauthenticated remote code execution because of an > incomplete fix for the CVE-2017-7525 deserialization flaw. This is > exploitable by sending maliciously crafted JSON input to the readValue > method of the ObjectMapper, bypassing a blacklist that is ineffective if > the c3p0 libraries are available in the classpath." "fixed" "[2.8.11.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-14719" "Critical" > "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers > to execute arbitrary code by leveraging failure to block the blaze-ds-opt > and blaze-ds-core classes from polymorphic deserialization." "fixed" > "[2.7.9.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-14718" "Critical" > "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers > to execute arbitrary code by leveraging failure to block the slf4j-ext > class from polymorphic deserialization." "fixed" "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-11307" "Critical" "An > issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use > of Jackson default typing along with a gadget class from iBatis allows > exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6." "fixed" > "[2.7.9.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2017-7525" "Critical" "A > deserialization flaw was discovered in the jackson-databind, versions > before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated > user to perform code execution by sending the maliciously crafted input to > the readValue method of the ObjectMapper." "fixed" "[2.6.7.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2017-17485" "Critical" > "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows > unauthenticated remote code execution because of an incomplete fix for the > CVE-2017-7525 deserialization flaw. This is exploitable by sending > maliciously crafted JSON input to the readValue method of the ObjectMapper, > bypassing a blacklist that is ineffective if the Spring libraries are > available in the classpath." "fixed" "[2.8.11]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2022-42004" "High" "In > FasterXML jackson-databind before 2.13.4, resource exhaustion can occur > because of a lack of a check in BeanDeserializer._deserializeFromArray to > prevent use of deeply nested arrays. An application is vulnerable only with > certain customized choices for deserialization." "fixed" "[2.12.7.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2022-42003" "High" "In > FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource > exhaustion can occur because of a lack of a check in primitive value > deserializers to avoid deep wrapper array nesting, when the > UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled." "fixed" "[2.12.7.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2021-20190" "High" "A flaw > was found in jackson-databind before 2.9.10.7. FasterXML mishandles the > interaction between serialization gadgets and typing. The highest threat > from this vulnerability is to data confidentiality and integrity as well as > system availability." "fixed" "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36518" "High" > "jackson-databind before 2.13.0 allows a Java StackOverflow exception and > denial of service via a large depth of nested objects." "fixed" > "[2.12.6.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36189" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource." > "fixed" "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36188" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource." > "fixed" "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36187" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36186" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36185" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36184" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36183" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool." "fixed" > "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36182" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS." "fixed" > "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36181" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS." "fixed" > "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36180" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS." "fixed" > "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36179" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS." "fixed" > "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-35728" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka > embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl)." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-35491" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.commons.dbcp2.datasources.SharedPoolDataSource." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-35490" "High" > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction > between serialization gadgets and typing, related to > org.apache.commons.dbcp2.datasources.PerUserPoolDataSource." "fixed" > "[2.9.10.8]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-24750" "High" > "FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction > between serialization gadgets and typing, related to > com.pastdev.httpcomponents.configuration.JndiConfiguration." "fixed" > "[2.6.7.5]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-24616" "High" > "FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction > between serialization gadgets and typing, related to > br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP)." "fixed" > "[2.9.10.6]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-10673" "High" > "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction > between serialization gadgets and typing, related to > com.caucho.config.types.ResourceRef (aka caucho-quercus)." "fixed" > "[2.6.7.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-10650" "High" "A > deserialization flaw was discovered in jackson-databind through 2.9.10.4. > It could allow an unauthenticated user to perform code execution via > ignite-jta or quartz-core: > org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, > org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and > org.quartz.utils.JNDIConnectionProvider." "fixed" "[2.9.10.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14439" "High" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > before 2.9.9.2. This occurs when Default Typing is enabled (either globally > or for a specific property) for an externally exposed JSON endpoint and the > service has the logback jar in the classpath." "fixed" "[2.6.7.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-12086" "High" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > before 2.9.9. When Default Typing is enabled (either globally or for a > specific property) for an externally exposed JSON endpoint, the service has > the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an > attacker can host a crafted MySQL server reachable by the victim, an > attacker can send a crafted JSON message that allows them to read arbitrary > local files on the server. This occurs because of missing > com.mysql.cj.jdbc.admin.MiniAdmin validation." "fixed" "[2.9.9]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-5968" "High" > "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows > unauthenticated remote code execution because of an incomplete fix for the > CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable > via two different gadgets that bypass a blacklist." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-12022" "High" "An > issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, > 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for > a specific property), the service has the Jodd-db jar (for database access > for the Jodd framework) in the classpath, and an attacker can provide an > LDAP service to access, it is possible to make the service execute a > malicious payload." "fixed" "[2.7.9.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-12814" "Medium" "A > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > through 2.9.9. When Default Typing is enabled (either globally or for a > specific property) for an externally exposed JSON endpoint and the service > has JDOM 1.x or 2.x jar in the classpath, an attacker can send a > specifically crafted JSON message that allows them to read arbitrary local > files on the server." "fixed" "[2.9.9.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-12384" "Medium" > "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to > have a variety of impacts by leveraging failure to block the logback-core > class from polymorphic deserialization. Depending on the classpath content, > remote code execution may be possible." "fixed" "[2.9.9.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jettison" "1.1" "java-archive" "CVE-2023-1436" "High" "An infinite > recursion is triggered in Jettison when constructing a JSONArray from a > Collection that contains a self-reference in one of its elements. This > leads to a StackOverflowError exception being thrown. " "fixed" "[1.5.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jettison" "1.1" "java-archive" "CVE-2022-45693" "High" "Jettison before > v1.5.2 was discovered to contain a stack overflow via the map parameter. > This vulnerability allows attackers to cause a Denial of Service (DoS) via > a crafted string." "fixed" "[1.5.2]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jettison" "1.1" "java-archive" "CVE-2022-45685" "High" "A stack overflow > in Jettison before v1.5.2 allows attackers to cause a Denial of Service > (DoS) via crafted JSON data." "fixed" "[1.5.2]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jettison" "1.1" "java-archive" "CVE-2022-40150" "High" "Those using > Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of > Service attacks (DOS). If the parser is running on user supplied input, an > attacker may supply content that causes the parser to crash by Out of > memory. This effect may support a denial of service attack." "fixed" > "[1.5.2]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jettison" "1.1" "java-archive" "CVE-2022-40149" "High" "Those using > Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of > Service attacks (DOS). If the parser is running on user supplied input, an > attacker may supply content that causes the parser to crash by > stackoverflow. This effect may support a denial of service attack." "fixed" > "[1.5.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-http" "9.4.20.v20190813" "java-archive" "CVE-2023-40167" "Medium" > "Jetty is a Java based web server and servlet engine. Prior to versions > 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character > proceeding the content-length value in a HTTP/1 header field. This is more > permissive than allowed by the RFC and other servers routinely reject such > requests with 400 responses. There is no known exploit scenario, but it is > conceivable that request smuggling could result if jetty is used in > combination with a server that does not close the connection after sending > such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain > a patch for this issue. There is no workaround as there is no known exploit > scenario." "fixed" "[9.4.52]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-http" "9.4.20.v20190813" "java-archive" "CVE-2022-2047" "Low" "In > Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and > 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an > http scheme URI, the Jetty HttpURI class improperly detects an invalid > input as a hostname. This can lead to failures in a Proxy scenario." > "fixed" "[9.4.47]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2021-28165" "High" > "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large > invalid TLS frame." "fixed" "[9.4.39]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2023-26049" "Medium" > "Jetty is a java based web server and servlet engine. Nonstandard cookie > parsing in Jetty may allow an attacker to smuggle cookies within other > cookies, or otherwise perform unintended behavior by tampering with the > cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` > (double quote), it will continue to read the cookie string until it sees a > closing quote -- even if a semicolon is encountered. So, a cookie header > such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one > cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; > c=d instead of 3 separate cookies. This has security implications because > if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie > value is rendered on the page, an attacker can smuggle the JSESSIONID > cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is > significant when an intermediary is enacting some policy based on cookies, > so a smuggled cookie can bypass that policy yet still be seen by the Jetty > server or its logging system. This issue has been addressed in versions > 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to > upgrade. There are no known workarounds for this issue." "fixed" > "[9.4.51.v20230217]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2023-26048" "Medium" > "Jetty is a java based web server and servlet engine. In affected versions > servlets with multipart support (e.g. annotated with `@MultipartConfig`) > that call `HttpServletRequest.getParameter()` or > `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the > client sends a multipart request with a part that has a name but no > filename and very large content. This happens even with the default > settings of `fileSizeThreshold=0` which should stream the whole part > content to disk. An attacker client may send a large multipart request and > cause the server to throw `OutOfMemoryError`. However, the server may be > able to recover after the `OutOfMemoryError` and continue its service -- > although it may take some time. This issue has been patched in versions > 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to > upgrade may set the multipart parameter `maxRequestSize` which must be set > to a non-negative value, so the whole multipart content is limited > (although still read into memory)." "fixed" "[9.4.51.v20230217]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2020-27223" "Medium" > "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, > and 11.0.0 when Jetty handles a request containing multiple Accept headers > with a large number of “quality†(i.e. q) parameters, the server may > enter a denial of service (DoS) state due to high CPU usage processing > those quality values, resulting in minutes of CPU time exhausted processing > those quality values." "fixed" "[9.4.37]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2020-27218" "Medium" > "In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to > 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body > inflation is enabled and requests from different clients are multiplexed > onto a single connection, and if an attacker can send a request with a body > that is received entirely but not consumed by the application, then a > subsequent request on the same connection will see that body prepended to > its body. The attacker will not see any data but may inject data into the > body of the subsequent request." "fixed" "[9.4.35.v20201120]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2021-34428" "Low" > "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an > exception is thrown from the SessionListener#sessionDestroyed() method, > then the session ID is not invalidated in the session ID manager. On > deployments with clustered sessions and multiple contexts this can result > in a session not being invalidated. This can result in an application used > on a shared computer being left logged in." "fixed" "[9.4.41]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-webapp" "9.4.20.v20190813" "java-archive" "CVE-2020-27216" "High" > "In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru > 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, > the system's temporary directory is shared between all users on that > system. A collocated user can observe the process of creating a temporary > sub directory in the shared temporary directory and race to complete the > creation of the temporary subdirectory. If the attacker wins the race then > they will have read and write permission to the subdirectory used to unpack > web applications, including their WEB-INF/lib jar files and JSP files. If > any code is ever executed out of this temporary directory, this can lead to > a local privilege escalation vulnerability." "fixed" "[9.4.33.v20201020]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "jetty-xml" "9.4.20.v20190813" "java-archive" "GHSA-58qw-p7qm-5rvh" "Low" > "Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations" "fixed" > "[9.4.52]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "log4j" "1.2.17" "java-archive" "CVE-2022-23305" "Critical" "By design, > the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration > parameter where the values to be inserted are converters from > PatternLayout. The message converter, %m, is likely to always be included. > This allows attackers to manipulate the SQL by entering crafted strings > into input fields or headers of an application that are logged allowing > unintended SQL queries to be executed. Note this issue only affects Log4j > 1.x when specifically configured to use the JDBCAppender, which is not the > default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced > with proper support for parameterized SQL queries and further customization > over the columns written to in logs. Apache Log4j 1.2 reached end of life > in August 2015. Users should upgrade to Log4j 2 as it addresses numerous > other issues from the previous versions." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "log4j" "1.2.17" "java-archive" "CVE-2019-17571" "Critical" "Included in > Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of > untrusted data which can be exploited to remotely execute arbitrary code > when combined with a deserialization gadget when listening to untrusted > network traffic for log data. This affects Log4j versions up to 1.2 up to > 1.2.17." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "log4j" "1.2.17" "java-archive" "CVE-2022-23307" "High" "CVE-2020-9493 > identified a deserialization issue that was present in Apache Chainsaw. > Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where > the same issue exists." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "log4j" "1.2.17" "java-archive" "CVE-2022-23302" "High" "JMSSink in all > versions of Log4j 1.x is vulnerable to deserialization of untrusted data > when the attacker has write access to the Log4j configuration or if the > configuration references an LDAP service the attacker has access to. The > attacker can provide a TopicConnectionFactoryBindingName configuration > causing JMSSink to perform JNDI requests that result in remote code > execution in a similar fashion to CVE-2021-4104. Note this issue only > affects Log4j 1.x when specifically configured to use JMSSink, which is not > the default. Apache Log4j 1.2 reached end of life in August 2015. Users > should upgrade to Log4j 2 as it addresses numerous other issues from the > previous versions." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "log4j" "1.2.17" "java-archive" "CVE-2021-4104" "High" "JMSAppender in > Log4j 1.2 is vulnerable to deserialization of untrusted data when the > attacker has write access to the Log4j configuration. The attacker can > provide TopicBindingName and TopicConnectionFactoryBindingName > configurations causing JMSAppender to perform JNDI requests that result in > remote code execution in a similar fashion to CVE-2021-44228. Note this > issue only affects Log4j 1.2 when specifically configured to use > JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life > in August 2015. Users should upgrade to Log4j 2 as it addresses numerous > other issues from the previous versions." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2019-20445" "Critical" > "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length > header to be accompanied by a second Content-Length header, or by a > Transfer-Encoding header." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2019-20444" "Critical" > "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that > lacks a colon, which might be interpreted as a separate header with an > incorrect syntax, or might be interpreted as an "invalid fold."" > "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2021-37137" "High" "The Snappy > frame decoder function doesn't restrict the chunk length which may lead to > excessive memory usage. Beside this it also may buffer reserved skippable > chunks until the whole chunk was received which may lead to excessive > memory usage as well. This vulnerability can be triggered by supplying > malicious input that decompresses to a very big size (via a network stream > or a file) or by sending a huge skippable chunk." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2021-37136" "High" "The Bzip2 > decompression decoder function doesn't allow setting size restrictions on > the decompressed output data (which affects the allocation size used during > decompression). All users of Bzip2Decoder are affected. The malicious input > can trigger an OOME and so a DoS attack" "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2021-43797" "Medium" "Netty is > an asynchronous event-driven network application framework for rapid > development of maintainable high performance protocol servers & clients. > Netty prior to version 4.1.71.Final skips control chars when they are > present at the beginning / end of the header name. It should instead fail > fast as these are not allowed by the spec and could lead to HTTP request > smuggling. Failing to do the validation might cause netty to "sanitize" > header names before it forward these to another remote system when used as > proxy. This remote system can't see the invalid usage anymore, and > therefore does not do the validation itself. Users should upgrade to > version 4.1.71.Final." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2021-21409" "Medium" "Netty is > an open-source, asynchronous event-driven network application framework for > rapid development of maintainable high performance protocol servers & > clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final > there is a vulnerability that enables request smuggling. The content-length > header is not correctly validated if the request only uses a single > Http2HeaderFrame with the endStream set to to true. This could lead to > request smuggling if the request is proxied to a remote peer and translated > to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which > did miss to fix this one case. This was fixed as part of 4.1.61.Final." > "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2021-21295" "Medium" "Netty is > an open-source, asynchronous event-driven network application framework for > rapid development of maintainable high performance protocol servers & > clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final > there is a vulnerability that enables request smuggling. If a > Content-Length header is present in the original HTTP/2 request, the field > is not validated by `Http2MultiplexHandler` as it is propagated up. This is > fine as long as the request is not proxied through as HTTP/1.1. If the > request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 > domain objects (`HttpRequest`, `HttpContent`, etc.) via > `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's > pipeline and proxied through a remote peer as HTTP/1.1 this may result in > request smuggling. In a proxy case, users may assume the content-length is > validated somehow, which is not the case. If the request is forwarded to a > backend channel that is a HTTP/1.1 connection, the Content-Length now has > meaning and needs to be checked. An attacker can smuggle requests inside > the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example > attack refer to the linked GitHub Advisory. Users are only affected if all > of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, > `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, > and these HTTP/1.1 objects are forwarded to another remote peer. This has > been patched in 4.1.60.Final As a workaround, the user can do the > validation by themselves by implementing a custom `ChannelInboundHandler` > that is put in the `ChannelPipeline` behind > `Http2StreamFrameToHttpObjectCodec`." "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty" "3.10.6.Final" "java-archive" "CVE-2021-21290" "Medium" "Netty is > an open-source, asynchronous event-driven network application framework for > rapid development of maintainable high performance protocol servers & > clients. In Netty before version 4.1.59.Final there is a vulnerability on > Unix-like systems involving an insecure temp file. When netty's multipart > decoders are used local information disclosure can occur via the local > system temporary directory if temporary storing uploads on the disk is > enabled. On unix-like systems, the temporary directory is shared between > all user. As such, writing to this directory using APIs that do not > explicitly set the file/directory permissions can lead to information > disclosure. Of note, this does not impact modern MacOS Operating Systems. > The method "File.createTempFile" on unix-like systems creates a random > file, but, by default will create this file with the permissions > "-rw-r--r--". Thus, if sensitive information is written to this file, other > local users can read this information. This is the case in netty's > "AbstractDiskHttpData" is vulnerable. This has been fixed in version > 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" > when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to > set the directory to something that is only readable by the current user." > "not-fixed" "[]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty-codec-http2" "4.1.87.Final" "java-archive" "GHSA-xpw8-rcwv-8f8p" > "High" "io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack" > "fixed" "[4.1.100.Final]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "netty-handler" "4.1.87.Final" "java-archive" "CVE-2023-34462" "Medium" > "Netty is an asynchronous event-driven network application framework for > rapid development of maintainable high performance protocol servers & > clients. The `SniHandler` can allocate up to 16MB of heap for each channel > during the TLS handshake. When the handler or the channel does not have an > idle timeout, it can be used to make a TCP server using the `SniHandler` to > allocate 16MB of heap. The `SniHandler` class is a handler that waits for > the TLS handshake to configure a `SslHandler` according to the indicated > server name by the `ClientHello` record. For this matter it allocates a > `ByteBuf` using the value defined in the `ClientHello` record. Normally the > value of the packet should be smaller than the handshake packet but there > are not checks done here and the way the code is written, it is possible to > craft a packet that makes the `SslClientHelloHandler`. This vulnerability > has been fixed in version 4.1.94.Final." "fixed" "[4.1.94.Final]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "okio" "1.6.0" "java-archive" "CVE-2023-3635" "High" "GzipSource does not > handle an exception that might be raised when parsing a malformed gzip > buffer. This may lead to denial of service of the Okio client when handling > a crafted GZIP archive, by using the GzipSource class. " "fixed" "[1.17.6]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "protobuf-java" "2.5.0" "java-archive" "CVE-2022-3510" "High" "A parsing > issue similar to CVE-2022-3171, but with Message-Type Extensions in > protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and > 3.16.3 can lead to a denial of service attack. Inputs containing multiple > instances of non-repeated embedded messages with repeated or unknown fields > causes objects to be converted back-n-forth between mutable and immutable > forms, resulting in potentially long garbage collection pauses. We > recommend updating to the versions mentioned above. " "fixed" "[3.16.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "protobuf-java" "2.5.0" "java-archive" "CVE-2022-3509" "High" "A parsing > issue similar to CVE-2022-3171, but with textformat in protobuf-java core > and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a > denial of service attack. Inputs containing multiple instances of > non-repeated embedded messages with repeated or unknown fields causes > objects to be converted back-n-forth between mutable and immutable forms, > resulting in potentially long garbage collection pauses. We recommend > updating to the versions mentioned above." "fixed" "[3.16.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "protobuf-java" "2.5.0" "java-archive" "CVE-2022-3171" "High" "A parsing > issue with binary data in protobuf-java core and lite versions prior to > 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. > Inputs containing multiple instances of non-repeated embedded messages with > repeated or unknown fields causes objects to be converted back-n-forth > between mutable and immutable forms, resulting in potentially long garbage > collection pauses. We recommend updating to the versions mentioned above." > "fixed" "[3.16.3]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "protobuf-java" "2.5.0" "java-archive" "CVE-2021-22570" "Medium" "Nullptr > dereference when a null char is present in a proto symbol. The symbol is > parsed incorrectly, leading to an unchecked call into the proto file's name > during generation of the resulting error message. Since the symbol is > incorrectly parsed, the file is nullptr. We recommend upgrading to version > 3.15.0 or greater." "fixed" "[3.15.0]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "protobuf-java" "2.5.0" "java-archive" "CVE-2021-22569" "Medium" "An issue > in protobuf-java allowed the interleaving of > com.google.protobuf.UnknownFieldSet fields in such a way that would be > processed out of order. A small malicious payload can occupy the parser for > several minutes by creating large numbers of short-lived objects that cause > frequent, repeated pauses. We recommend upgrading libraries beyond the > vulnerable versions." "fixed" "[3.16.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "snappy-java" "1.0.5" "java-archive" "CVE-2023-43642" "High" "snappy-java > is a Java port of the snappy, a fast C++ compresser/decompresser developed > by Google. The SnappyInputStream was found to be vulnerable to Denial of > Service (DoS) attacks when decompressing data with a too large chunk size. > Due to missing upper bound check on chunk length, an unrecoverable fatal > error can occur. All versions of snappy-java including the latest released > version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in > commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users > are advised to upgrade. Users unable to upgrade should only accept > compressed data from trusted sources." "fixed" "[1.1.10.4]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "snappy-java" "1.0.5" "java-archive" "CVE-2023-34455" "High" "snappy-java > is a fast compressor/decompressor for Java. Due to use of an unchecked > chunk length, an unrecoverable fatal error can occur in versions prior to > 1.1.10.1. The code in the function hasNextChunk in the > fileSnappyInputStream.java checks if a given stream has more chunks to > read. It does that by attempting to read 4 bytes. If it wasn’t possible > to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were > available, the code treats them as the length of the next chunk. In the > case that the `compressed` variable is null, a byte array is allocated with > the size given by the input data. Since the code doesn’t test the > legality of the `chunkSize` variable, it is possible to pass a negative > number (such as 0xFFFFFFFF which is -1), which will cause the code to raise > a `java.lang.NegativeArraySizeException` exception. A worse case would > happen when passing a huge positive value (such as 0x7FFFFFFF), which would > raise the fatal `java.lang.OutOfMemoryError` error. Version 1.1.10.1 > contains a patch for this issue." "fixed" "[1.1.10.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "snappy-java" "1.0.5" "java-archive" "CVE-2023-34454" "High" "snappy-java > is a fast compressor/decompressor for Java. Due to unchecked > multiplications, an integer overflow may occur in versions prior to > 1.1.10.1, causing an unrecoverable fatal error. The function > `compress(char[] input)` in the file `Snappy.java` receives an array of > characters and compresses it. It does so by multiplying the length by 2 and > passing it to the rawCompress` function. Since the length is not tested, > the multiplication by two can cause an integer overflow and become > negative. The rawCompress function then uses the received length and passes > it to the natively compiled maxCompressedLength function, using the > returned value to allocate a byte array. Since the maxCompressedLength > function treats the length as an unsigned integer, it doesn’t care that > it is negative, and it returns a valid value, which is casted to a signed > integer by the Java engine. If the result is negative, a > `java.lang.NegativeArraySizeException` exception will be raised while > trying to allocate the array `buf`. On the other side, if the result is > positive, the `buf` array will successfully be allocated, but its size > might be too small to use for the compression, causing a fatal Access > Violation error. The same issue exists also when using the `compress` > functions that receive double, float, int, long and short, each using a > different multiplier that may cause the same issue. The issue most likely > won’t occur when using a byte array, since creating a byte array of size > 0x80000000 (or any other negative value) is impossible in the first place. > Version 1.1.10.1 contains a patch for this issue." "fixed" "[1.1.10.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "snappy-java" "1.0.5" "java-archive" "CVE-2023-34453" "High" "snappy-java > is a fast compressor/decompressor for Java. Due to unchecked > multiplications, an integer overflow may occur in versions prior to > 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)` in the > file `BitShuffle.java` receives an array of integers and applies a bit > shuffle on it. It does so by multiplying the length by 4 and passing it to > the natively compiled shuffle function. Since the length is not tested, the > multiplication by four can cause an integer overflow and become a smaller > value than the true size, or even zero or negative. In the case of a > negative value, a `java.lang.NegativeArraySizeException` exception will > raise, which can crash the program. In a case of a value that is zero or > too small, the code that afterwards references the shuffled array will > assume a bigger size of the array, which might cause exceptions such as > `java.lang.ArrayIndexOutOfBoundsException`. The same issue exists also when > using the `shuffle` functions that receive a double, float, long and short, > each using a different multiplier that may cause the same issue. Version > 1.1.10.1 contains a patch for this vulnerability." "fixed" "[1.1.10.1]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "woodstox-core" "5.0.3" "java-archive" "CVE-2022-40152" "High" "Those > using Woodstox to parse XML data may be vulnerable to Denial of Service > attacks (DOS) if DTD support is enabled. If the parser is running on user > supplied input, an attacker may supply content that causes the parser to > crash by stackoverflow. This effect may support a denial of service > attack." "fixed" "[5.4.0]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > "zookeeper" "3.5.7" "java-archive" "CVE-2023-44981" "Critical" > "Authorization Bypass Through User-Controlled Key vulnerability in Apache > ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper > (quorum.auth.enableSasl=true), the authorization is done by verifying that > the instance part in SASL authentication ID is listed in zoo.cfg server > list. The instance part in SASL auth ID is optional and if it's missing, > like 'e...@example.com', the authorization check will be skipped. As a > result an arbitrary endpoint could join the cluster and begin propagating > counterfeit changes to the leader, essentially giving it complete > read-write access to the data tree. Quorum Peer authentication is not > enabled by default. Users are recommended to upgrade to version 3.9.1, > 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble > election/quorum communication is protected by a firewall as this will > mitigate the issue. See the documentation for more details on correct > cluster administration. " "fixed" "[3.7.2]" > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > > On Mon, Feb 19, 2024 at 9:52 AM Istvan Toth <st...@cloudera.com.invalid> > wrote: > >> HI, >> >> I can't see an attachment on this email. >> >> Istvan >> >> On Sun, Feb 18, 2024 at 6:02 PM Mateusz Gajewski < >> mateusz.gajew...@starburstdata.com> wrote: >> >> > Hi Phoenix team, >> > >> > I've built and tested upcoming 5.1.4 version by building it from the 5.1 >> > branch (5.1.3-124-gb6ca402f9) and would like to ask to address several >> CVEs >> > before releasing 5.1.4. Phoenix integration in Trino ( >> > https://github.com/trinodb/trino) is one of two connectors with really >> > high number of CVEs that we would like to remove from our codebase - >> either >> > by updating a connector to a newer, CVE-free dependency or by dropping >> > connector code and support for Phoenix (actually Phoenix5 accounts for >> 95% >> > of remaining CVEs in our codebase). >> > >> > I'm attaching a list of detected vulnerabilities. >> > >> > Please let me know how we can workaround these vulnerabilities. >> > >> >> >> -- >> *István Tóth* | Sr. Staff Software Engineer >> *Email*: st...@cloudera.com >> cloudera.com <https://www.cloudera.com> >> [image: Cloudera] <https://www.cloudera.com/> >> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: >> Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: >> Cloudera >> on LinkedIn] <https://www.linkedin.com/company/cloudera> >> ------------------------------ >> ------------------------------ >> >