Bradley Parker created DRILL-7416: ------------------------------------- Summary: Updates required to dependencies to resolve potential security vulnerabilities Key: DRILL-7416 URL: https://issues.apache.org/jira/browse/DRILL-7416 Project: Apache Drill Issue Type: Bug Affects Versions: 1.16.0 Reporter: Bradley Parker
After running an OWASP Dependency Check and ruling out false positives, I have found 25 dependencies that should be updated to remove potential vulnerabilities. They are listed alphabetically with their CVE information below. [CVSS scores|[https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System]] represent the severity of a vulnerability on a scale of 1-10, 10 being critical. [CVEs |[https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures]] are public identifiers used to reference known vulnerabilities. Package: avro-1.8.2 Should be: 1.9.0 (*Existing item at* *DRILL-7302*) Max CVE (CVSS): CVE-2018-10237 (5.9) Complete CVE list: CVE-2018-10237 Package: commons-beanutils-1.9.2 Should be: 1.9.4 Max CVE (CVSS): CVE-2019-10086 (7.3) Complete CVE list: CVE-2019-10086 Package: commons-beanutils-core-1.8.0 Should be: Moved to commons-beanutils Max CVE (CVSS): CVE-2014-0114 (7.5) Complete CVE list: CVE-2014-0114Deprecated, replaced by commons-beanutils Package: converter-jackson Should be: 2.5.0 Max CVE (CVSS): CVE-2018-1000850 (7.5) Complete CVE list: CVE-2018-1000850 Package: derby-10.10.2.0 Should be: 10.14.2.0 Max CVE (CVSS): CVE-2015-1832 (9.1) Complete CVE list: CVE-2015-1832 CVE-2018-1313 Package: drill-hive-exec-shaded Should be: New release needed with updated Guava Max CVE (CVSS): CVE-2018-10237 (7.5) Complete CVE list: CVE-2018-10237 Package: drill-java-exec Should be: New release needed with updated JjQuery and Bootstrap Max CVE (CVSS): CVE-2019-11358 (6.1) Complete CVE list: CVE-2018-14040 CVE-2018-14041 CVE-2018-14042 CVE-2019-8331 CVE-2019-11358 Package: drill-shaded-guava-23 Should be: New release needed with updated Guava Max CVE (CVSS): CVE-2018-10237 (5.9) Complete CVE list: CVE-2018-10237 Package: guava-19.0 Should be: 24.1.1 Max CVE (CVSS): CVE-2018-10237 (5.9) Complete CVE list: CVE-2018-10237 Package: hadoop-yarn-common-2.7.4 Should be: 3.2.1 Max CVE (CVSS): CVE-2019-11358 (6.1) Complete CVE list: CVE-2012-6708 CVE-2015-9251 CVE-2019-11358 CVE-2010-5312 CVE-2016-7103 Package: hbase-http-2.1.1.jar Should be: 2.1.4 Max CVE (CVSS): CVE-2019-0212 (7.5) Complete CVE list: CVE-2019-0212 Package: httpclient-4.2.5.jar Should be: 4.3.6 Max CVE (CVSS): CVE-2014-3577 (5.8) Complete CVE list: CVE-2014-3577 CVE-2015-5262 Package: jackson-databind-2.9.5 Should be: 2.10.0 Max CVE (CVSS): CVE-2018-14721 (10) Complete CVE list: CVE-2019-17267 CVE-2019-16943 CVE-2019-16942 CVE-2019-16335 CVE-2019-14540 CVE-2019-14439 CVE-2019-14379 CVE-2018-11307 CVE-2019-12384 CVE-2019-12814 CVE-2019-12086 CVE-2018-12023 CVE-2018-12022 CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718 CVE-2018-1000873 Package: jetty-server-9.3.25.v20180904.jar (*Existing DRILL-7135, but that's to go to 9.4 and it's blocked, we should go to latest 9.3 in the meantime*) Should be: 9.3.27.v20190418 Max CVE (CVSS): CVE-2017-9735 (7.5) Complete CVE list: CVE-2017-9735 CVE-2019-10241 CVE-2019-10247 Package: Kafka 0.11.0.1 Should be: 2.2.0 (*Existing item DRILL-6739*) Max CVE (CVSS): CVE-2018-17196 (8.8) Complete CVE list: CVE-2018-17196 CVE-2018-1288 CVE-2017-12610 Package: kudu-client-1.3.0.jar Should be: 1.10.0 Max CVE (CVSS): CVE-2015-5237 (8.8) Complete CVE list: CVE-2018-10237 CVE-2015-5237 CVE-2019-16869Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to update their netty (this is not unexpected as this CVE is newer) Package: libfb303-0.9.3.jar Should be: 0.12.0 Max CVE (CVSS): CVE-2018-1320 (7.5) Complete CVE list: CVE-2018-1320Moved to libthrift Package: okhttp-3.3.0 Should be: 3.12.0 Max CVE (CVSS): CVE-2018-20200 (5.9) Complete CVE list: CVE-2018-20200 Package: protobuf-java-2.5.0 Should be: 3.4.0 Max CVE (CVSS): CVE-2015-5237 (8.8) Complete CVE list: CVE-2015-5237 Package: retrofit-2.1.0 Should be: 2.5.0 Max CVE (CVSS): CVE-2018-1000850 (7.5) Complete CVE list: CVE-2018-1000850 Package: scala-library-2.11.0 Should be: 2.11.12 Max CVE (CVSS): CVE-2017-15288 (7.8) Complete CVE list: CVE-2017-15288 Package: serializer-2.7.1 Should be: 2.7.2 Max CVE (CVSS): CVE-2014-0107 (7.5) Complete CVE list: CVE-2014-0107 Package: xalan-2.7.1 Should be: 2.7.2 Max CVE (CVSS): CVE-2014-0107 (7.5) Complete CVE list: CVE-2014-0107 Package: xercesImpl-2.11.0 Should be: 2.12.0 Max CVE (CVSS): CVE-2012-0881 (7.5) Complete CVE list: CVE-2012-0881 Package: zookeeper-3.4.12. Should be: 3.4.14 Max CVE (CVSS): CVE-2019-0201 (5.9) Complete CVE list: CVE-2019-0201 Additional keywords for searching: Vulnerability, CVE, OWASP, Dependency Check -- This message was sent by Atlassian Jira (v8.3.4#803005)