Thanks, Mateusz. The vast majority of these is coming from either HBase or Hadoop. (We always do a CVE pass on the direct Phoenix dependencies before release)
Unfortunately, Hadoop is generally not binary compatible between minor releases, so using a newer Hadoop minor release than the default used by HBase is not always an option. We definitely will update Hadoop to 3.2.4 in the HBase 2.5 profile in 5.1, but we are still testing if Hadoop 3.2 works with the HBase 2.4. profile (which builds with Hadoop 3.1.3 now). Depending on how the release schedules align, either 5.2 or 5.2.1 is going to support HBase 2.6, which is built by Hadoop 3.3 by default, so that should also help. 5.2 is also going to have a new shaded artifact, which works with the hbase-shaded-mapreduce jars, and as such will include neither Hadoop nor HBase libraries. I think that moving to that one will be the best solution for Trino, as it can independently manage the Hadoop and HBase versions used then. (It also solves the incompatibility between the standard HBase libraries and Phoenix) See https://issues.apache.org/jira/browse/PHOENIX-7139 . best regards Istvan On Mon, Feb 19, 2024 at 11:13 AM Mateusz Gajewski < mateusz.gajew...@starburstdata.com> wrote: > Rendered: > https://github.com/trinodb/trino/pull/20739#issuecomment-1952114587 > > > On Mon, Feb 19, 2024 at 10:43 AM Mateusz Gajewski < > mateusz.gajew...@starburstdata.com> wrote: > > > Yeah, attachment was sent but not delivered. > > > > Inline version > > > > "avro" "1.7.7" "java-archive" "CVE-2023-39410" "High" "When deserializing > > untrusted or corrupted data, it is possible for a reader to consume > memory > > beyond the allowed constraints and thus lead to out of memory on the > > system. This issue affects Java applications using Apache Avro Java SDK > up > > to and including 1.11.2. Users should update to apache-avro version > 1.11.3 > > which addresses this issue. " "fixed" "[1.11.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "commons-net" "3.6" "java-archive" "CVE-2021-37533" "Medium" "Prior to > > Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV > > response by default. A malicious server can redirect the Commons Net code > > to use a different host, but the user has to connect to the malicious > > server in the first place. This may lead to leakage of information about > > services running on the private network of the client. The default in > > version 3.9.0 is now false to ignore such hosts, as cURL does. See > > https://issues.apache.org/jira/browse/NET-711."; "fixed" "[3.9.0]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "hadoop-common" "3.1.4" "java-archive" "CVE-2022-26612" "Critical" "In > > Apache Hadoop, The unTar function uses unTarUsingJava function on Windows > > and the built-in tar utility on Unix and other OSes. As a result, a TAR > > entry may create a symlink under the expected extraction directory which > > points to an external directory. A subsequent TAR entry may extract an > > arbitrary file into the external directory using the symlink name. This > > however would be caught by the same targetDirPath check on Unix because > of > > the getCanonicalPath call. However on Windows, getCanonicalPath doesn't > > resolve symbolic links, which bypasses the check. unpackEntries during > TAR > > extraction follows symbolic links which allows writing outside expected > > base directory on Windows. This was addressed in Apache Hadoop 3.2.3" > > "fixed" "[3.2.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "hadoop-common" "3.1.4" "java-archive" "CVE-2022-25168" "Critical" > "Apache > > Hadoop's FileUtil.unTar(File, File) API does not escape the input file > name > > before being passed to the shell. An attacker can inject arbitrary > > commands. This is only used in Hadoop 3.3 > > InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a > > local user. It has been used in Hadoop 2.x for yarn localization, which > > does enable remote code execution. It is used in Apache Spark, from the > SQL > > command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the > > classpath, being able to execute shell scripts does not confer new > > permissions to the caller. SPARK-38305. "Check existence of file before > > untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents > > shell commands being executed, regardless of which version of the hadoop > > libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, > 3.2.4, > > 3.3.3 or upper (including HADOOP-18136)." "fixed" "[3.2.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "hadoop-common" "3.1.4" "java-archive" "CVE-2021-37404" "Critical" "There > > is a potential heap buffer overflow in Apache Hadoop libhdfs native code. > > Opening a file path provided by user without validation may result in a > > denial of service or arbitrary code execution. Users should upgrade to > > Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher." "fixed" "[3.2.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "httpclient" "4.5.2" "java-archive" "CVE-2020-13956" "Medium" "Apache > > HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret > > malformed authority component in request URIs passed to the library as > > java.net.URI object and pick the wrong target host for request > execution." > > "fixed" "[4.5.13]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-9548" "Critical" > > "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the > interaction > > between serialization gadgets and typing, related to > > br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)." "fixed" > > "[2.7.9.7]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-9547" "Critical" > > "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the > interaction > > between serialization gadgets and typing, related to > > com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka > > ibatis-sqlmap)." "fixed" "[2.7.9.7]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-8840" "Critical" > > "FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain > > xbean-reflect/JNDI blocking, as demonstrated by > > org.apache.xbean.propertyeditor.JndiConverter." "fixed" "[2.6.7.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-20330" "Critical" > > "FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain > > net.sf.ehcache blocking." "fixed" "[2.6.7.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-17531" "Critical" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind > 2.0.0 > > through 2.9.10. When Default Typing is enabled (either globally or for a > > specific property) for an externally exposed JSON endpoint and the > service > > has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an > > attacker can provide a JNDI service to access, it is possible to make the > > service execute a malicious payload." "fixed" "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-17267" "Critical" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind > > before 2.9.10. It is related to > > net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup." "fixed" > > "[2.8.11.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-16943" "Critical" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind > 2.0.0 > > through 2.9.10. When Default Typing is enabled (either globally or for a > > specific property) for an externally exposed JSON endpoint and the > service > > has the p6spy (3.8.6) jar in the classpath, and an attacker can find an > RMI > > service endpoint to access, it is possible to make the service execute a > > malicious payload. This issue exists because of > > com.p6spy.engine.spy.P6DataSource mishandling." "fixed" "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-16942" "Critical" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind > 2.0.0 > > through 2.9.10. When Default Typing is enabled (either globally or for a > > specific property) for an externally exposed JSON endpoint and the > service > > has the commons-dbcp (1.4) jar in the classpath, and an attacker can find > > an RMI service endpoint to access, it is possible to make the service > > execute a malicious payload. This issue exists because of > > org.apache.commons.dbcp.datasources.SharedPoolDataSource and > > org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling." > > "fixed" "[2.9.10.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-16335" "Critical" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind > > before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This > is > > a different vulnerability than CVE-2019-14540." "fixed" "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14892" "Critical" "A > > flaw was discovered in jackson-databind in versions before 2.9.10, > 2.8.11.5 > > and 2.6.7.3, where it would permit polymorphic deserialization of a > > malicious object using commons-configuration 1 and 2 JNDI classes. An > > attacker could use this flaw to execute arbitrary code." "fixed" > > "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14540" "Critical" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind > > before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig." "fixed" > > "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14379" "Critical" > > "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 > > mishandles default typing when ehcache is used (because of > > net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), > > leading to remote code execution." "fixed" "[2.7.9.6]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-7489" "Critical" > > "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and > 2.9.x > > before 2.9.5 allows unauthenticated remote code execution because of an > > incomplete fix for the CVE-2017-7525 deserialization flaw. This is > > exploitable by sending maliciously crafted JSON input to the readValue > > method of the ObjectMapper, bypassing a blacklist that is ineffective if > > the c3p0 libraries are available in the classpath." "fixed" "[2.8.11.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-14719" "Critical" > > "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers > > to execute arbitrary code by leveraging failure to block the blaze-ds-opt > > and blaze-ds-core classes from polymorphic deserialization." "fixed" > > "[2.7.9.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-14718" "Critical" > > "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers > > to execute arbitrary code by leveraging failure to block the slf4j-ext > > class from polymorphic deserialization." "fixed" "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-11307" "Critical" "An > > issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. > Use > > of Jackson default typing along with a gadget class from iBatis allows > > exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6." "fixed" > > "[2.7.9.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2017-7525" "Critical" "A > > deserialization flaw was discovered in the jackson-databind, versions > > before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated > > user to perform code execution by sending the maliciously crafted input > to > > the readValue method of the ObjectMapper." "fixed" "[2.6.7.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2017-17485" "Critical" > > "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows > > unauthenticated remote code execution because of an incomplete fix for > the > > CVE-2017-7525 deserialization flaw. This is exploitable by sending > > maliciously crafted JSON input to the readValue method of the > ObjectMapper, > > bypassing a blacklist that is ineffective if the Spring libraries are > > available in the classpath." "fixed" "[2.8.11]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2022-42004" "High" "In > > FasterXML jackson-databind before 2.13.4, resource exhaustion can occur > > because of a lack of a check in BeanDeserializer._deserializeFromArray to > > prevent use of deeply nested arrays. An application is vulnerable only > with > > certain customized choices for deserialization." "fixed" "[2.12.7.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2022-42003" "High" "In > > FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, > resource > > exhaustion can occur because of a lack of a check in primitive value > > deserializers to avoid deep wrapper array nesting, when the > > UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled." "fixed" "[2.12.7.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2021-20190" "High" "A flaw > > was found in jackson-databind before 2.9.10.7. FasterXML mishandles the > > interaction between serialization gadgets and typing. The highest threat > > from this vulnerability is to data confidentiality and integrity as well > as > > system availability." "fixed" "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36518" "High" > > "jackson-databind before 2.13.0 allows a Java StackOverflow exception and > > denial of service via a large depth of nested objects." "fixed" > > "[2.12.6.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36189" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > com.newrelic.agent.deps.ch > .qos.logback.core.db.DriverManagerConnectionSource." > > "fixed" "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36188" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource." > > "fixed" "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36187" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36186" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36185" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36184" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36183" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool." "fixed" > > "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36182" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS." "fixed" > > "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36181" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS." "fixed" > > "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36180" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS." "fixed" > > "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-36179" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS." "fixed" > > "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-35728" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka > > embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl)." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-35491" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.commons.dbcp2.datasources.SharedPoolDataSource." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-35490" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the > interaction > > between serialization gadgets and typing, related to > > org.apache.commons.dbcp2.datasources.PerUserPoolDataSource." "fixed" > > "[2.9.10.8]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-24750" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the > interaction > > between serialization gadgets and typing, related to > > com.pastdev.httpcomponents.configuration.JndiConfiguration." "fixed" > > "[2.6.7.5]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-24616" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the > interaction > > between serialization gadgets and typing, related to > > br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP)." "fixed" > > "[2.9.10.6]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-10673" "High" > > "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the > interaction > > between serialization gadgets and typing, related to > > com.caucho.config.types.ResourceRef (aka caucho-quercus)." "fixed" > > "[2.6.7.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2020-10650" "High" "A > > deserialization flaw was discovered in jackson-databind through 2.9.10.4. > > It could allow an unauthenticated user to perform code execution via > > ignite-jta or quartz-core: > > org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, > > org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and > > org.quartz.utils.JNDIConnectionProvider." "fixed" "[2.9.10.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-14439" "High" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > > before 2.9.9.2. This occurs when Default Typing is enabled (either > globally > > or for a specific property) for an externally exposed JSON endpoint and > the > > service has the logback jar in the classpath." "fixed" "[2.6.7.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-12086" "High" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > > before 2.9.9. When Default Typing is enabled (either globally or for a > > specific property) for an externally exposed JSON endpoint, the service > has > > the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an > > attacker can host a crafted MySQL server reachable by the victim, an > > attacker can send a crafted JSON message that allows them to read > arbitrary > > local files on the server. This occurs because of missing > > com.mysql.cj.jdbc.admin.MiniAdmin validation." "fixed" "[2.9.9]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-5968" "High" > > "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows > > unauthenticated remote code execution because of an incomplete fix for > the > > CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is > exploitable > > via two different gadgets that bypass a blacklist." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2018-12022" "High" "An > > issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, > > 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or > for > > a specific property), the service has the Jodd-db jar (for database > access > > for the Jodd framework) in the classpath, and an attacker can provide an > > LDAP service to access, it is possible to make the service execute a > > malicious payload." "fixed" "[2.7.9.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-12814" "Medium" "A > > Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > > through 2.9.9. When Default Typing is enabled (either globally or for a > > specific property) for an externally exposed JSON endpoint and the > service > > has JDOM 1.x or 2.x jar in the classpath, an attacker can send a > > specifically crafted JSON message that allows them to read arbitrary > local > > files on the server." "fixed" "[2.9.9.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jackson-databind" "2.4.0" "java-archive" "CVE-2019-12384" "Medium" > > "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to > > have a variety of impacts by leveraging failure to block the logback-core > > class from polymorphic deserialization. Depending on the classpath > content, > > remote code execution may be possible." "fixed" "[2.9.9.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jettison" "1.1" "java-archive" "CVE-2023-1436" "High" "An infinite > > recursion is triggered in Jettison when constructing a JSONArray from a > > Collection that contains a self-reference in one of its elements. This > > leads to a StackOverflowError exception being thrown. " "fixed" "[1.5.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jettison" "1.1" "java-archive" "CVE-2022-45693" "High" "Jettison before > > v1.5.2 was discovered to contain a stack overflow via the map parameter. > > This vulnerability allows attackers to cause a Denial of Service (DoS) > via > > a crafted string." "fixed" "[1.5.2]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jettison" "1.1" "java-archive" "CVE-2022-45685" "High" "A stack overflow > > in Jettison before v1.5.2 allows attackers to cause a Denial of Service > > (DoS) via crafted JSON data." "fixed" "[1.5.2]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jettison" "1.1" "java-archive" "CVE-2022-40150" "High" "Those using > > Jettison to parse untrusted XML or JSON data may be vulnerable to Denial > of > > Service attacks (DOS). If the parser is running on user supplied input, > an > > attacker may supply content that causes the parser to crash by Out of > > memory. This effect may support a denial of service attack." "fixed" > > "[1.5.2]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jettison" "1.1" "java-archive" "CVE-2022-40149" "High" "Those using > > Jettison to parse untrusted XML or JSON data may be vulnerable to Denial > of > > Service attacks (DOS). If the parser is running on user supplied input, > an > > attacker may supply content that causes the parser to crash by > > stackoverflow. This effect may support a denial of service attack." > "fixed" > > "[1.5.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-http" "9.4.20.v20190813" "java-archive" "CVE-2023-40167" "Medium" > > "Jetty is a Java based web server and servlet engine. Prior to versions > > 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character > > proceeding the content-length value in a HTTP/1 header field. This is > more > > permissive than allowed by the RFC and other servers routinely reject > such > > requests with 400 responses. There is no known exploit scenario, but it > is > > conceivable that request smuggling could result if jetty is used in > > combination with a server that does not close the connection after > sending > > such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 > contain > > a patch for this issue. There is no workaround as there is no known > exploit > > scenario." "fixed" "[9.4.52]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-http" "9.4.20.v20190813" "java-archive" "CVE-2022-2047" "Low" "In > > Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and > > 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an > > http scheme URI, the Jetty HttpURI class improperly detects an invalid > > input as a hostname. This can lead to failures in a Proxy scenario." > > "fixed" "[9.4.47]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2021-28165" "High" > > "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large > > invalid TLS frame." "fixed" "[9.4.39]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2023-26049" > "Medium" > > "Jetty is a java based web server and servlet engine. Nonstandard cookie > > parsing in Jetty may allow an attacker to smuggle cookies within other > > cookies, or otherwise perform unintended behavior by tampering with the > > cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with > `"` > > (double quote), it will continue to read the cookie string until it sees > a > > closing quote -- even if a semicolon is encountered. So, a cookie header > > such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as > one > > cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; > > c=d instead of 3 separate cookies. This has security implications because > > if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE > cookie > > value is rendered on the page, an attacker can smuggle the JSESSIONID > > cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This > is > > significant when an intermediary is enacting some policy based on > cookies, > > so a smuggled cookie can bypass that policy yet still be seen by the > Jetty > > server or its logging system. This issue has been addressed in versions > > 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to > > upgrade. There are no known workarounds for this issue." "fixed" > > "[9.4.51.v20230217]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2023-26048" > "Medium" > > "Jetty is a java based web server and servlet engine. In affected > versions > > servlets with multipart support (e.g. annotated with `@MultipartConfig`) > > that call `HttpServletRequest.getParameter()` or > > `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the > > client sends a multipart request with a part that has a name but no > > filename and very large content. This happens even with the default > > settings of `fileSizeThreshold=0` which should stream the whole part > > content to disk. An attacker client may send a large multipart request > and > > cause the server to throw `OutOfMemoryError`. However, the server may be > > able to recover after the `OutOfMemoryError` and continue its service -- > > although it may take some time. This issue has been patched in versions > > 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable > to > > upgrade may set the multipart parameter `maxRequestSize` which must be > set > > to a non-negative value, so the whole multipart content is limited > > (although still read into memory)." "fixed" "[9.4.51.v20230217]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2020-27223" > "Medium" > > "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), > 10.0.0, > > and 11.0.0 when Jetty handles a request containing multiple Accept > headers > > with a large number of “quality†(i.e. q) parameters, the server may > > enter a denial of service (DoS) state due to high CPU usage processing > > those quality values, resulting in minutes of CPU time exhausted > processing > > those quality values." "fixed" "[9.4.37]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2020-27218" > "Medium" > > "In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to > > 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body > > inflation is enabled and requests from different clients are multiplexed > > onto a single connection, and if an attacker can send a request with a > body > > that is received entirely but not consumed by the application, then a > > subsequent request on the same connection will see that body prepended to > > its body. The attacker will not see any data but may inject data into the > > body of the subsequent request." "fixed" "[9.4.35.v20201120]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-server" "9.4.20.v20190813" "java-archive" "CVE-2021-34428" "Low" > > "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an > > exception is thrown from the SessionListener#sessionDestroyed() method, > > then the session ID is not invalidated in the session ID manager. On > > deployments with clustered sessions and multiple contexts this can result > > in a session not being invalidated. This can result in an application > used > > on a shared computer being left logged in." "fixed" "[9.4.41]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-webapp" "9.4.20.v20190813" "java-archive" "CVE-2020-27216" "High" > > "In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru > > 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, > > the system's temporary directory is shared between all users on that > > system. A collocated user can observe the process of creating a temporary > > sub directory in the shared temporary directory and race to complete the > > creation of the temporary subdirectory. If the attacker wins the race > then > > they will have read and write permission to the subdirectory used to > unpack > > web applications, including their WEB-INF/lib jar files and JSP files. If > > any code is ever executed out of this temporary directory, this can lead > to > > a local privilege escalation vulnerability." "fixed" "[9.4.33.v20201020]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "jetty-xml" "9.4.20.v20190813" "java-archive" "GHSA-58qw-p7qm-5rvh" "Low" > > "Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations" "fixed" > > "[9.4.52]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "log4j" "1.2.17" "java-archive" "CVE-2022-23305" "Critical" "By design, > > the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a > configuration > > parameter where the values to be inserted are converters from > > PatternLayout. The message converter, %m, is likely to always be > included. > > This allows attackers to manipulate the SQL by entering crafted strings > > into input fields or headers of an application that are logged allowing > > unintended SQL queries to be executed. Note this issue only affects Log4j > > 1.x when specifically configured to use the JDBCAppender, which is not > the > > default. Beginning in version 2.0-beta8, the JDBCAppender was > re-introduced > > with proper support for parameterized SQL queries and further > customization > > over the columns written to in logs. Apache Log4j 1.2 reached end of life > > in August 2015. Users should upgrade to Log4j 2 as it addresses numerous > > other issues from the previous versions." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "log4j" "1.2.17" "java-archive" "CVE-2019-17571" "Critical" "Included in > > Log4j 1.2 is a SocketServer class that is vulnerable to deserialization > of > > untrusted data which can be exploited to remotely execute arbitrary code > > when combined with a deserialization gadget when listening to untrusted > > network traffic for log data. This affects Log4j versions up to 1.2 up to > > 1.2.17." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "log4j" "1.2.17" "java-archive" "CVE-2022-23307" "High" "CVE-2020-9493 > > identified a deserialization issue that was present in Apache Chainsaw. > > Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x > where > > the same issue exists." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "log4j" "1.2.17" "java-archive" "CVE-2022-23302" "High" "JMSSink in all > > versions of Log4j 1.x is vulnerable to deserialization of untrusted data > > when the attacker has write access to the Log4j configuration or if the > > configuration references an LDAP service the attacker has access to. The > > attacker can provide a TopicConnectionFactoryBindingName configuration > > causing JMSSink to perform JNDI requests that result in remote code > > execution in a similar fashion to CVE-2021-4104. Note this issue only > > affects Log4j 1.x when specifically configured to use JMSSink, which is > not > > the default. Apache Log4j 1.2 reached end of life in August 2015. Users > > should upgrade to Log4j 2 as it addresses numerous other issues from the > > previous versions." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "log4j" "1.2.17" "java-archive" "CVE-2021-4104" "High" "JMSAppender in > > Log4j 1.2 is vulnerable to deserialization of untrusted data when the > > attacker has write access to the Log4j configuration. The attacker can > > provide TopicBindingName and TopicConnectionFactoryBindingName > > configurations causing JMSAppender to perform JNDI requests that result > in > > remote code execution in a similar fashion to CVE-2021-44228. Note this > > issue only affects Log4j 1.2 when specifically configured to use > > JMSAppender, which is not the default. Apache Log4j 1.2 reached end of > life > > in August 2015. Users should upgrade to Log4j 2 as it addresses numerous > > other issues from the previous versions." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2019-20445" "Critical" > > "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length > > header to be accompanied by a second Content-Length header, or by a > > Transfer-Encoding header." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2019-20444" "Critical" > > "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that > > lacks a colon, which might be interpreted as a separate header with an > > incorrect syntax, or might be interpreted as an "invalid fold."" > > "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2021-37137" "High" "The Snappy > > frame decoder function doesn't restrict the chunk length which may lead > to > > excessive memory usage. Beside this it also may buffer reserved skippable > > chunks until the whole chunk was received which may lead to excessive > > memory usage as well. This vulnerability can be triggered by supplying > > malicious input that decompresses to a very big size (via a network > stream > > or a file) or by sending a huge skippable chunk." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2021-37136" "High" "The Bzip2 > > decompression decoder function doesn't allow setting size restrictions on > > the decompressed output data (which affects the allocation size used > during > > decompression). All users of Bzip2Decoder are affected. The malicious > input > > can trigger an OOME and so a DoS attack" "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2021-43797" "Medium" "Netty is > > an asynchronous event-driven network application framework for rapid > > development of maintainable high performance protocol servers & clients. > > Netty prior to version 4.1.71.Final skips control chars when they are > > present at the beginning / end of the header name. It should instead fail > > fast as these are not allowed by the spec and could lead to HTTP request > > smuggling. Failing to do the validation might cause netty to "sanitize" > > header names before it forward these to another remote system when used > as > > proxy. This remote system can't see the invalid usage anymore, and > > therefore does not do the validation itself. Users should upgrade to > > version 4.1.71.Final." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2021-21409" "Medium" "Netty is > > an open-source, asynchronous event-driven network application framework > for > > rapid development of maintainable high performance protocol servers & > > clients. In Netty (io.netty:netty-codec-http2) before version > 4.1.61.Final > > there is a vulnerability that enables request smuggling. The > content-length > > header is not correctly validated if the request only uses a single > > Http2HeaderFrame with the endStream set to to true. This could lead to > > request smuggling if the request is proxied to a remote peer and > translated > > to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 > which > > did miss to fix this one case. This was fixed as part of 4.1.61.Final." > > "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2021-21295" "Medium" "Netty is > > an open-source, asynchronous event-driven network application framework > for > > rapid development of maintainable high performance protocol servers & > > clients. In Netty (io.netty:netty-codec-http2) before version > 4.1.60.Final > > there is a vulnerability that enables request smuggling. If a > > Content-Length header is present in the original HTTP/2 request, the > field > > is not validated by `Http2MultiplexHandler` as it is propagated up. This > is > > fine as long as the request is not proxied through as HTTP/1.1. If the > > request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 > > domain objects (`HttpRequest`, `HttpContent`, etc.) via > > `Http2StreamFrameToHttpObjectCodec `and then sent up to the child > channel's > > pipeline and proxied through a remote peer as HTTP/1.1 this may result in > > request smuggling. In a proxy case, users may assume the content-length > is > > validated somehow, which is not the case. If the request is forwarded to > a > > backend channel that is a HTTP/1.1 connection, the Content-Length now has > > meaning and needs to be checked. An attacker can smuggle requests inside > > the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example > > attack refer to the linked GitHub Advisory. Users are only affected if > all > > of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, > > `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 > objects, > > and these HTTP/1.1 objects are forwarded to another remote peer. This has > > been patched in 4.1.60.Final As a workaround, the user can do the > > validation by themselves by implementing a custom `ChannelInboundHandler` > > that is put in the `ChannelPipeline` behind > > `Http2StreamFrameToHttpObjectCodec`." "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty" "3.10.6.Final" "java-archive" "CVE-2021-21290" "Medium" "Netty is > > an open-source, asynchronous event-driven network application framework > for > > rapid development of maintainable high performance protocol servers & > > clients. In Netty before version 4.1.59.Final there is a vulnerability on > > Unix-like systems involving an insecure temp file. When netty's multipart > > decoders are used local information disclosure can occur via the local > > system temporary directory if temporary storing uploads on the disk is > > enabled. On unix-like systems, the temporary directory is shared between > > all user. As such, writing to this directory using APIs that do not > > explicitly set the file/directory permissions can lead to information > > disclosure. Of note, this does not impact modern MacOS Operating Systems. > > The method "File.createTempFile" on unix-like systems creates a random > > file, but, by default will create this file with the permissions > > "-rw-r--r--". Thus, if sensitive information is written to this file, > other > > local users can read this information. This is the case in netty's > > "AbstractDiskHttpData" is vulnerable. This has been fixed in version > > 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" > > when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to > > set the directory to something that is only readable by the current > user." > > "not-fixed" "[]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty-codec-http2" "4.1.87.Final" "java-archive" "GHSA-xpw8-rcwv-8f8p" > > "High" "io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset > Attack" > > "fixed" "[4.1.100.Final]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "netty-handler" "4.1.87.Final" "java-archive" "CVE-2023-34462" "Medium" > > "Netty is an asynchronous event-driven network application framework for > > rapid development of maintainable high performance protocol servers & > > clients. The `SniHandler` can allocate up to 16MB of heap for each > channel > > during the TLS handshake. When the handler or the channel does not have > an > > idle timeout, it can be used to make a TCP server using the `SniHandler` > to > > allocate 16MB of heap. The `SniHandler` class is a handler that waits for > > the TLS handshake to configure a `SslHandler` according to the indicated > > server name by the `ClientHello` record. For this matter it allocates a > > `ByteBuf` using the value defined in the `ClientHello` record. Normally > the > > value of the packet should be smaller than the handshake packet but there > > are not checks done here and the way the code is written, it is possible > to > > craft a packet that makes the `SslClientHelloHandler`. This vulnerability > > has been fixed in version 4.1.94.Final." "fixed" "[4.1.94.Final]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "okio" "1.6.0" "java-archive" "CVE-2023-3635" "High" "GzipSource does not > > handle an exception that might be raised when parsing a malformed gzip > > buffer. This may lead to denial of service of the Okio client when > handling > > a crafted GZIP archive, by using the GzipSource class. " "fixed" > "[1.17.6]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "protobuf-java" "2.5.0" "java-archive" "CVE-2022-3510" "High" "A parsing > > issue similar to CVE-2022-3171, but with Message-Type Extensions in > > protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and > > 3.16.3 can lead to a denial of service attack. Inputs containing multiple > > instances of non-repeated embedded messages with repeated or unknown > fields > > causes objects to be converted back-n-forth between mutable and immutable > > forms, resulting in potentially long garbage collection pauses. We > > recommend updating to the versions mentioned above. " "fixed" "[3.16.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "protobuf-java" "2.5.0" "java-archive" "CVE-2022-3509" "High" "A parsing > > issue similar to CVE-2022-3171, but with textformat in protobuf-java core > > and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to > a > > denial of service attack. Inputs containing multiple instances of > > non-repeated embedded messages with repeated or unknown fields causes > > objects to be converted back-n-forth between mutable and immutable forms, > > resulting in potentially long garbage collection pauses. We recommend > > updating to the versions mentioned above." "fixed" "[3.16.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "protobuf-java" "2.5.0" "java-archive" "CVE-2022-3171" "High" "A parsing > > issue with binary data in protobuf-java core and lite versions prior to > > 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. > > Inputs containing multiple instances of non-repeated embedded messages > with > > repeated or unknown fields causes objects to be converted back-n-forth > > between mutable and immutable forms, resulting in potentially long > garbage > > collection pauses. We recommend updating to the versions mentioned > above." > > "fixed" "[3.16.3]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "protobuf-java" "2.5.0" "java-archive" "CVE-2021-22570" "Medium" "Nullptr > > dereference when a null char is present in a proto symbol. The symbol is > > parsed incorrectly, leading to an unchecked call into the proto file's > name > > during generation of the resulting error message. Since the symbol is > > incorrectly parsed, the file is nullptr. We recommend upgrading to > version > > 3.15.0 or greater." "fixed" "[3.15.0]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "protobuf-java" "2.5.0" "java-archive" "CVE-2021-22569" "Medium" "An > issue > > in protobuf-java allowed the interleaving of > > com.google.protobuf.UnknownFieldSet fields in such a way that would be > > processed out of order. A small malicious payload can occupy the parser > for > > several minutes by creating large numbers of short-lived objects that > cause > > frequent, repeated pauses. We recommend upgrading libraries beyond the > > vulnerable versions." "fixed" "[3.16.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "snappy-java" "1.0.5" "java-archive" "CVE-2023-43642" "High" "snappy-java > > is a Java port of the snappy, a fast C++ compresser/decompresser > developed > > by Google. The SnappyInputStream was found to be vulnerable to Denial of > > Service (DoS) attacks when decompressing data with a too large chunk > size. > > Due to missing upper bound check on chunk length, an unrecoverable fatal > > error can occur. All versions of snappy-java including the latest > released > > version 1.1.10.3 are vulnerable to this issue. A fix has been introduced > in > > commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users > > are advised to upgrade. Users unable to upgrade should only accept > > compressed data from trusted sources." "fixed" "[1.1.10.4]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "snappy-java" "1.0.5" "java-archive" "CVE-2023-34455" "High" "snappy-java > > is a fast compressor/decompressor for Java. Due to use of an unchecked > > chunk length, an unrecoverable fatal error can occur in versions prior to > > 1.1.10.1. The code in the function hasNextChunk in the > > fileSnappyInputStream.java checks if a given stream has more chunks to > > read. It does that by attempting to read 4 bytes. If it wasn’t possible > > to read the 4 bytes, the function returns false. Otherwise, if 4 bytes > were > > available, the code treats them as the length of the next chunk. In the > > case that the `compressed` variable is null, a byte array is allocated > with > > the size given by the input data. Since the code doesn’t test the > > legality of the `chunkSize` variable, it is possible to pass a negative > > number (such as 0xFFFFFFFF which is -1), which will cause the code to > raise > > a `java.lang.NegativeArraySizeException` exception. A worse case would > > happen when passing a huge positive value (such as 0x7FFFFFFF), which > would > > raise the fatal `java.lang.OutOfMemoryError` error. Version 1.1.10.1 > > contains a patch for this issue." "fixed" "[1.1.10.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "snappy-java" "1.0.5" "java-archive" "CVE-2023-34454" "High" "snappy-java > > is a fast compressor/decompressor for Java. Due to unchecked > > multiplications, an integer overflow may occur in versions prior to > > 1.1.10.1, causing an unrecoverable fatal error. The function > > `compress(char[] input)` in the file `Snappy.java` receives an array of > > characters and compresses it. It does so by multiplying the length by 2 > and > > passing it to the rawCompress` function. Since the length is not tested, > > the multiplication by two can cause an integer overflow and become > > negative. The rawCompress function then uses the received length and > passes > > it to the natively compiled maxCompressedLength function, using the > > returned value to allocate a byte array. Since the maxCompressedLength > > function treats the length as an unsigned integer, it doesn’t care that > > it is negative, and it returns a valid value, which is casted to a signed > > integer by the Java engine. If the result is negative, a > > `java.lang.NegativeArraySizeException` exception will be raised while > > trying to allocate the array `buf`. On the other side, if the result is > > positive, the `buf` array will successfully be allocated, but its size > > might be too small to use for the compression, causing a fatal Access > > Violation error. The same issue exists also when using the `compress` > > functions that receive double, float, int, long and short, each using a > > different multiplier that may cause the same issue. The issue most likely > > won’t occur when using a byte array, since creating a byte array of > size > > 0x80000000 (or any other negative value) is impossible in the first > place. > > Version 1.1.10.1 contains a patch for this issue." "fixed" "[1.1.10.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "snappy-java" "1.0.5" "java-archive" "CVE-2023-34453" "High" "snappy-java > > is a fast compressor/decompressor for Java. Due to unchecked > > multiplications, an integer overflow may occur in versions prior to > > 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)` in > the > > file `BitShuffle.java` receives an array of integers and applies a bit > > shuffle on it. It does so by multiplying the length by 4 and passing it > to > > the natively compiled shuffle function. Since the length is not tested, > the > > multiplication by four can cause an integer overflow and become a smaller > > value than the true size, or even zero or negative. In the case of a > > negative value, a `java.lang.NegativeArraySizeException` exception will > > raise, which can crash the program. In a case of a value that is zero or > > too small, the code that afterwards references the shuffled array will > > assume a bigger size of the array, which might cause exceptions such as > > `java.lang.ArrayIndexOutOfBoundsException`. The same issue exists also > when > > using the `shuffle` functions that receive a double, float, long and > short, > > each using a different multiplier that may cause the same issue. Version > > 1.1.10.1 contains a patch for this vulnerability." "fixed" "[1.1.10.1]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "woodstox-core" "5.0.3" "java-archive" "CVE-2022-40152" "High" "Those > > using Woodstox to parse XML data may be vulnerable to Denial of Service > > attacks (DOS) if DTD support is enabled. If the parser is running on user > > supplied input, an attacker may supply content that causes the parser to > > crash by stackoverflow. This effect may support a denial of service > > attack." "fixed" "[5.4.0]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > "zookeeper" "3.5.7" "java-archive" "CVE-2023-44981" "Critical" > > "Authorization Bypass Through User-Controlled Key vulnerability in Apache > > ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper > > (quorum.auth.enableSasl=true), the authorization is done by verifying > that > > the instance part in SASL authentication ID is listed in zoo.cfg server > > list. The instance part in SASL auth ID is optional and if it's missing, > > like 'e...@example.com', the authorization check will be skipped. As a > > result an arbitrary endpoint could join the cluster and begin propagating > > counterfeit changes to the leader, essentially giving it complete > > read-write access to the data tree. Quorum Peer authentication is not > > enabled by default. Users are recommended to upgrade to version 3.9.1, > > 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble > > election/quorum communication is protected by a firewall as this will > > mitigate the issue. See the documentation for more details on correct > > cluster administration. " "fixed" "[3.7.2]" > > > /usr/lib/trino/plugin/phoenix5/phoenix-client-hbase-2.4-5.1.4-SNAPSHOT.jar > > > > > > On Mon, Feb 19, 2024 at 9:52 AM Istvan Toth <st...@cloudera.com.invalid> > > wrote: > > > >> HI, > >> > >> I can't see an attachment on this email. > >> > >> Istvan > >> > >> On Sun, Feb 18, 2024 at 6:02 PM Mateusz Gajewski < > >> mateusz.gajew...@starburstdata.com> wrote: > >> > >> > Hi Phoenix team, > >> > > >> > I've built and tested upcoming 5.1.4 version by building it from the > 5.1 > >> > branch (5.1.3-124-gb6ca402f9) and would like to ask to address several > >> CVEs > >> > before releasing 5.1.4. Phoenix integration in Trino ( > >> > https://github.com/trinodb/trino) is one of two connectors with > really > >> > high number of CVEs that we would like to remove from our codebase - > >> either > >> > by updating a connector to a newer, CVE-free dependency or by dropping > >> > connector code and support for Phoenix (actually Phoenix5 accounts for > >> 95% > >> > of remaining CVEs in our codebase). > >> > > >> > I'm attaching a list of detected vulnerabilities. > >> > > >> > Please let me know how we can workaround these vulnerabilities. > >> > > >> > >> > >> -- > >> *István Tóth* | Sr. Staff Software Engineer > >> *Email*: st...@cloudera.com > >> cloudera.com <https://www.cloudera.com> > >> [image: Cloudera] <https://www.cloudera.com/> > >> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > >> Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > >> Cloudera > >> on LinkedIn] <https://www.linkedin.com/company/cloudera> > >> ------------------------------ > >> ------------------------------ > >> > > > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
