[ https://issues.apache.org/jira/browse/DRILL-7416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arina Ielchiieva updated DRILL-7416: ------------------------------------ Fix Version/s: (was: 1.17.0) > Updates required to dependencies to resolve potential security > vulnerabilities > ------------------------------------------------------------------------------- > > Key: DRILL-7416 > URL: https://issues.apache.org/jira/browse/DRILL-7416 > Project: Apache Drill > Issue Type: Bug > Affects Versions: 1.16.0 > Reporter: Bradley Parker > Assignee: Bradley Parker > Priority: Critical > Labels: security > > After running an OWASP Dependency Check and ruling out false positives, I > have found 25 dependencies that should be updated to remove potential > vulnerabilities. They are listed alphabetically with their CVE information > below. > > [CVSS > scores|[https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System]] > represent the severity of a vulnerability on a scale of 1-10, 10 being > critical. [CVEs > |[https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures]] are > public identifiers used to reference known vulnerabilities. > > Package: avro-1.8.2 > Should be: 1.9.0 (*Existing item at* *DRILL-7302*) > Max CVE (CVSS): CVE-2018-10237 (5.9) > Complete CVE list: CVE-2018-10237 > Package: commons-beanutils-1.9.2 > Should be: 1.9.4 > Max CVE (CVSS): CVE-2019-10086 (7.3) > Complete CVE list: CVE-2019-10086 > Package: commons-beanutils-core-1.8.0 > Should be: Moved to commons-beanutils > Max CVE (CVSS): CVE-2014-0114 (7.5) > Complete CVE list: CVE-2014-0114Deprecated, replaced by commons-beanutils > Package: converter-jackson > Should be: 2.5.0 > Max CVE (CVSS): CVE-2018-1000850 (7.5) > Complete CVE list: CVE-2018-1000850 > Package: derby-10.10.2.0 > Should be: 10.14.2.0 > Max CVE (CVSS): CVE-2015-1832 (9.1) > Complete CVE list: CVE-2015-1832 > CVE-2018-1313 > Package: drill-hive-exec-shaded > Should be: New release needed with updated Guava > Max CVE (CVSS): CVE-2018-10237 (7.5) > Complete CVE list: CVE-2018-10237 > Package: drill-java-exec > Should be: New release needed with updated JjQuery and Bootstrap > Max CVE (CVSS): CVE-2019-11358 (6.1) > Complete CVE list: CVE-2018-14040 > CVE-2018-14041 > CVE-2018-14042 > CVE-2019-8331 > CVE-2019-11358 > Package: drill-shaded-guava-23 > Should be: New release needed with updated Guava > Max CVE (CVSS): CVE-2018-10237 (5.9) > Complete CVE list: CVE-2018-10237 > Package: guava-19.0 > Should be: 24.1.1 > Max CVE (CVSS): CVE-2018-10237 (5.9) > Complete CVE list: CVE-2018-10237 > Package: hadoop-yarn-common-2.7.4 > Should be: 3.2.1 > Max CVE (CVSS): CVE-2019-11358 (6.1) > Complete CVE list: CVE-2012-6708 > CVE-2015-9251 > CVE-2019-11358 > CVE-2010-5312 > CVE-2016-7103 > Package: hbase-http-2.1.1.jar > Should be: 2.1.4 > Max CVE (CVSS): CVE-2019-0212 (7.5) > Complete CVE list: CVE-2019-0212 > Package: httpclient-4.2.5.jar > Should be: 4.3.6 > Max CVE (CVSS): CVE-2014-3577 (5.8) > Complete CVE list: CVE-2014-3577 > CVE-2015-5262 > Package: jackson-databind-2.9.5 > Should be: 2.10.0 > Max CVE (CVSS): CVE-2018-14721 (10) > Complete CVE list: CVE-2019-17267 > CVE-2019-16943 > CVE-2019-16942 > CVE-2019-16335 > CVE-2019-14540 > CVE-2019-14439 > CVE-2019-14379 > CVE-2018-11307 > CVE-2019-12384 > CVE-2019-12814 > CVE-2019-12086 > CVE-2018-12023 > CVE-2018-12022 > CVE-2018-19362 > CVE-2018-19361 > CVE-2018-19360 > CVE-2018-14721 > CVE-2018-14720 > CVE-2018-14719 > CVE-2018-14718 > CVE-2018-1000873 > Package: jetty-server-9.3.25.v20180904.jar (*Existing DRILL-7135, but that's > to go to 9.4 and it's blocked, we should go to latest 9.3 in the meantime*) > Should be: 9.3.27.v20190418 > Max CVE (CVSS): CVE-2017-9735 (7.5) > Complete CVE list: CVE-2017-9735 > CVE-2019-10241 > CVE-2019-10247 > Package: Kafka 0.11.0.1 > Should be: 2.2.0 (*Existing item DRILL-6739*) > Max CVE (CVSS): CVE-2018-17196 (8.8) > Complete CVE list: CVE-2018-17196 > CVE-2018-1288 > CVE-2017-12610 > Package: kudu-client-1.3.0.jar > Should be: 1.10.0 > Max CVE (CVSS): CVE-2015-5237 (8.8) > Complete CVE list: CVE-2018-10237 > CVE-2015-5237 > CVE-2019-16869Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu > still needs to update their netty (this is not unexpected as this CVE is > newer) > Package: libfb303-0.9.3.jar > Should be: 0.12.0 > Max CVE (CVSS): CVE-2018-1320 (7.5) > Complete CVE list: CVE-2018-1320Moved to libthrift > Package: okhttp-3.3.0 > Should be: 3.12.0 > Max CVE (CVSS): CVE-2018-20200 (5.9) > Complete CVE list: CVE-2018-20200 > Package: protobuf-java-2.5.0 > Should be: 3.4.0 > Max CVE (CVSS): CVE-2015-5237 (8.8) > Complete CVE list: CVE-2015-5237 > Package: retrofit-2.1.0 > Should be: 2.5.0 > Max CVE (CVSS): CVE-2018-1000850 (7.5) > Complete CVE list: CVE-2018-1000850 > Package: scala-library-2.11.0 > Should be: 2.11.12 > Max CVE (CVSS): CVE-2017-15288 (7.8) > Complete CVE list: CVE-2017-15288 > Package: serializer-2.7.1 > Should be: 2.7.2 > Max CVE (CVSS): CVE-2014-0107 (7.5) > Complete CVE list: CVE-2014-0107 > Package: xalan-2.7.1 > Should be: 2.7.2 > Max CVE (CVSS): CVE-2014-0107 (7.5) > Complete CVE list: CVE-2014-0107 > Package: xercesImpl-2.11.0 > Should be: 2.12.0 > Max CVE (CVSS): CVE-2012-0881 (7.5) > Complete CVE list: CVE-2012-0881 > Package: zookeeper-3.4.12. > Should be: 3.4.14 > Max CVE (CVSS): CVE-2019-0201 (5.9) > Complete CVE list: CVE-2019-0201 > > Additional keywords for searching: Vulnerability, CVE, OWASP, Dependency Check -- This message was sent by Atlassian Jira (v8.3.4#803005)