[ https://issues.apache.org/jira/browse/DRILL-7162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813486#comment-16813486 ]
Vitalii Diravka edited comment on DRILL-7162 at 4/9/19 2:35 PM: ---------------------------------------------------------------- Jetty version is updated in latest master version to 9.3, see DRILL-7051. There an issue with Jetty 9.4 version, see DRILL-7135. [~er.ayushsha...@gmail.com] Regarding other CVEs, if you are able to fix them please open the PRs. Thanks was (Author: vitalii): Jetty version is updated in latest master version to 9.3, see DRILL-7051. There an issue with Jetty 9.4 version, see DRILL-7135. [~er.ayushsha...@gmail.com] Regarding other CVEs, please publish here the list and if you are able to fix them please open the PRs. Thanks > <SECURITY ISSUE> Apache Drill uses 3rd Party with Highest CVEs > -------------------------------------------------------------- > > Key: DRILL-7162 > URL: https://issues.apache.org/jira/browse/DRILL-7162 > Project: Apache Drill > Issue Type: Bug > Affects Versions: 1.13.0, 1.14.0, 1.15.0 > Reporter: Ayush Sharma > Priority: Major > > Apache Drill uses rd party libraries with almost 250+ CVEs. > Most of the CVEs are in the older version of Jetty (9.1.x) whereas the > current version of Jetty is 9.4.x > Also many of the other libraries are in EOF versions and the are not patched > even in the latest release. > This creates an issue of security when we use it in production. > We are able to replace many older version of libraries with the latest > versions with no CVEs , however many of them are not replaceable as it is and > would require some changes in the source code. > The jetty version is of the highest priority and needs migration to 9.4.x > version immediately. > > Please look into this issue at immediate priority as it compromises with the > security of the application utilizing Apache Drill. -- This message was sent by Atlassian JIRA (v7.6.3#76005)