[
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867095#comment-17867095
]
Nihal Jain edited comment on HBASE-28250 at 7/18/24 7:47 PM:
-------------------------------------------------------------
We are currently on JRuby 9.3.13.0 which has been pushed to 2.6+ with
HBASE-28249.
Here's a list of CVE's reported by our internal scan tool which impact
9.3.13.0; the one around snakeyaml being the most CRITICAL.
||THREAT||SECURITY ISSUE||CVSS SCORE||COMPONENT||
|9|CVE-2022-1471|9.8|org.jruby : jruby-complete : 9.3.13.0|
|9|CVE-2022-1471|9.8|org.yaml : snakeyaml : 1.33|
|8|CVE-2024-27281|8.8|org.jruby : jruby-complete : 9.3.13.0|
|8|sonatype-2024-0946|7.7|org.bouncycastle : bcprov-jdk18on : 1.74|
|8|sonatype-2024-0946|7.7|org.jruby : jruby-complete : 9.3.13.0|
|8|CVE-2021-41819|7.5|org.jruby : jruby-complete : 9.3.13.0|
|8|CVE-2024-29857|7.5|org.bouncycastle : bcprov-jdk18on : 1.74|
|8|CVE-2024-29857|7.5|org.jruby : jruby-complete : 9.3.13.0|
|7|sonatype-2022-6090|6.1|org.jruby : jruby-complete : 9.3.13.0|
|7|CVE-2024-30171|5.9|org.bouncycastle : bcprov-jdk18on : 1.74|
|7|CVE-2024-30171|5.9|org.jruby : jruby-complete : 9.3.13.0|
|7|CVE-2024-30172|5.9|org.bouncycastle : bcprov-jdk18on : 1.74|
|7|CVE-2024-30172|5.9|org.jruby : jruby-complete : 9.3.13.0|
|7|CVE-2024-35176|5.3|org.jruby : jruby-complete : 9.3.13.0|
|7|sonatype-2013-0074|4.4|org.jruby : jruby-complete : 9.3.13.0|
As a follow up to HBASE-28249, I plan to take this up as an attempt to get rid
of the snakeyaml issue.
I have been looking/collecting all previous attempts/related resources around
this which did not fruition:
* [~apurtell] attempt to bring this issue to JRuby community as part of
[JRuby#7600|https://github.com/jruby/jruby/pull/7600] where he tried to
emphasize on dropping snakeyaml with 9.3.x to let hbase maintain it's
compatibility matrix. Also he brought up that bumping to 9.4.x does not even
work for shell interactive mode as part of one of his
[comment|https://github.com/jruby/jruby/pull/7600#issuecomment-1452700930]
* Also I found a previous work to upgrade to 9.4.2 in HBASE-27921, where the
work could not be realised with PR [https://github.com/apache/hbase/pull/5274]
as the PR was breaking shell interactive mode as mentioned in previous comment.
* Another related discussion: [https://github.com/jruby/jruby/issues/7570]
Also, based on [JRuby#7570
(comment)|https://github.com/jruby/jruby/issues/7570#issuecomment-1379546250],
JRuby is not actually vulnerable to the snakeyaml vulnerability!
{quote}JRuby is not affected by any of the object deserialization exploits
reported against SnakeYAML because we do not use SnakeYAML object serialization
support. JRuby utilizes the parser from SnakeYAML directly, passing its events
back to Ruby code in Psych. Psych has already made several changes and releases
to limit or disable object deserialization by default.
{quote}
But as per security standards at my org, we must attempt to fix this
vulnerability instead of trying to explain CyberSec every time that we are not
impacted.
Hence, as mentioned in Jira description we plan to bump to JRuby 9.4.x for
following reason:
{quote}JRuby 9.4.x drops critical snakeyaml CVE ({*}org.yaml : snakeyaml :
1.33{*} having [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471])
from our classpath with following change along with several other bugs/fixes:
* The Psych YAML library is updated to 5.1.0. This version switches the JRuby
extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and
updating YAML compatibility to specification version 1.2.
[#6365|https://github.com/jruby/jruby/issues/6365],
[#7570|https://github.com/jruby/jruby/issues/7570],
[#7626|https://github.com/jruby/jruby/pull/7626]{quote}
But it is important to note *JRuby 9.4.x targets Ruby 3.1 compatibility instead
of Ruby 2.6* which 9.3.x were having! So we may have to decide which all
branches we would want to drop a fix, if available.
As a simple attempt I tried to build JRuby and start shell in interactive mode
to see if issue mentioned by Andrew in his
[comment|https://github.com/jruby/jruby/pull/7600#issuecomment-1452700930] is
fixed with latest JRuby version i.e. 9.4.8.0 but to our bad luck, it is still
not the case. We fail with following error:
{code:java}
./hbase shell
HBase Shell
Use "help" to get list of supported commands.
Use "exit" to quit this interactive shell.
For Reference, please visit: http://hbase.apache.org/2.0/book.html#shell
Version 2.6.1-SNAPSHOT, r2cc605af5f07f961c2b42f83fee0671ee117390f, Thu Jul 18
21:09:55 IST 2024
Took 0.0012 seconds
NoMethodError: undefined method `gsub' for nil:NilClass
check_multiline_prompt at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/line_editor.rb:129
map at org/jruby/RubyArray.java:2803
check_multiline_prompt at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/line_editor.rb:129
rerender at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/line_editor.rb:436
inner_readline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline.rb:340
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline.rb:273
with_raw_input at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/ansi.rb:152
ttymode_yield at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/io/console/native_console.rb:32
raw at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/io/console/native_console.rb:56
with_raw_input at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/ansi.rb:152
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline.rb:269
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/forwardable.rb:238
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/forwardable.rb:238
gets at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/input-method.rb:421
eval_input at uri:classloader:/irb/hirb.rb:95
signal_status at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb.rb:722
eval_input at uri:classloader:/irb/hirb.rb:94
lex at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:273
each_top_level_statement at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:242
loop at org/jruby/RubyKernel.java:1722
each_top_level_statement at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:239
catch at org/jruby/RubyKernel.java:1423
each_top_level_statement at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:238
eval_input at uri:classloader:/irb/hirb.rb:111
run at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb.rb:443
catch at org/jruby/RubyKernel.java:1423
run at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb.rb:442
<main> at classpath:/jar-bootstrap.rb:233
{code}
I plan to further debug and see what could be causing this.
Posting this thread to get a heads up for this change, keeping our
compatibility in mind and also may be have a discussion / plan on targeted
branches for a fix.
CC: [~zhangduo], [~psomogyi] [~ndimiduk]
was (Author: nihaljain.cs):
We are currently on JRuby 9.3.13.0 which has been pushed to 2.6+ with
HBASE-28249.
Here's a list of CVE's reported by our internal scan tool which impact
9.3.13.0; the one around snakeyaml being the most CRITICAL.
||THREAT||SECURITY ISSUE||CVSS SCORE||COMPONENT||
|9|CVE-2022-1471|9.8|org.jruby : jruby-complete : 9.3.13.0|
|9|CVE-2022-1471|9.8|org.yaml : snakeyaml : 1.33|
|8|CVE-2024-27281|8.8|org.jruby : jruby-complete : 9.3.13.0|
|8|sonatype-2024-0946|7.7|org.bouncycastle : bcprov-jdk18on : 1.74|
|8|sonatype-2024-0946|7.7|org.jruby : jruby-complete : 9.3.13.0|
|8|CVE-2021-41819|7.5|org.jruby : jruby-complete : 9.3.13.0|
|8|CVE-2024-29857|7.5|org.bouncycastle : bcprov-jdk18on : 1.74|
|8|CVE-2024-29857|7.5|org.jruby : jruby-complete : 9.3.13.0|
|7|sonatype-2022-6090|6.1|org.jruby : jruby-complete : 9.3.13.0|
|7|CVE-2024-30171|5.9|org.bouncycastle : bcprov-jdk18on : 1.74|
|7|CVE-2024-30171|5.9|org.jruby : jruby-complete : 9.3.13.0|
|7|CVE-2024-30172|5.9|org.bouncycastle : bcprov-jdk18on : 1.74|
|7|CVE-2024-30172|5.9|org.jruby : jruby-complete : 9.3.13.0|
|7|CVE-2024-35176|5.3|org.jruby : jruby-complete : 9.3.13.0|
|7|sonatype-2013-0074|4.4|org.jruby : jruby-complete : 9.3.13.0|
As a follow up to HBASE-28249, I plan to take this up as an attempt to get rid
of the snakeyaml issue.
I have been looking/collecting all previous attempts/related resources around
this which did not fruition:
* [~apurtell] attempt to bring this issue to JRuby community as part of
[JRuby#7600|https://github.com/jruby/jruby/pull/7600] where he tried to
emphasize on dropping snakeyaml with 9.3.x to let hbase maintain it's
compatibility matrix. Also he brought up that bumping to 9.4.x does not even
work for shell interactive mode as part of one of his
[comment|https://github.com/jruby/jruby/pull/7600#issuecomment-1452700930]
* Also I found a previous work to upgrade to 9.4.2 in HBASE-27921, where the
work could not be realised with PR [https://github.com/apache/hbase/pull/5274]
as the PR was breaking shell interactive mode as mentioned in previous comment.
* Another related discussion: [https://github.com/jruby/jruby/issues/7570]
Also, based on [JRuby#7570
(comment)|https://github.com/jruby/jruby/issues/7570#issuecomment-1379546250],
JRuby is not actually vulnerable to the snakeyaml vulnerability
*
**
{quote}JRuby is not affected by any of the object deserialization exploits
reported against SnakeYAML because we do not use SnakeYAML object serialization
support. JRuby utilizes the parser from SnakeYAML directly, passing its events
back to Ruby code in Psych. Psych has already made several changes and releases
to limit or disable object deserialization by default.
{quote}
But as per security standards at my org, we must attempt to fix this
vulnerability instead of trying to explain CyberSec every time that we are not
impacted.
Hence, as mentioned in Jira description:
{quote}JRuby 9.4.x drops critical snakeyaml CVE ({*}org.yaml : snakeyaml :
1.33{*} having [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471])
from our classpath with following change along with several other bugs/fixes:
* The Psych YAML library is updated to 5.1.0. This version switches the JRuby
extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and
updating YAML compatibility to specification version 1.2.
[#6365|https://github.com/jruby/jruby/issues/6365],
[#7570|https://github.com/jruby/jruby/issues/7570],
[#7626|https://github.com/jruby/jruby/pull/7626]{quote}
But JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 9.3.x
were having! So we may have to decide which all branches we would want to drop
a fix, if available.
As a simple attempt I tried to build JRuby and start shell in interactive mode
to see if issue mentioned by Andrew in his
[comment|https://github.com/jruby/jruby/pull/7600#issuecomment-1452700930] is
fixed with latest JRuby version i.e. 9.4.8.0 but to our bad luck, it is still
not the case. We fail with following error:
{code:java}
./hbase shell
HBase Shell
Use "help" to get list of supported commands.
Use "exit" to quit this interactive shell.
For Reference, please visit: http://hbase.apache.org/2.0/book.html#shell
Version 2.6.1-SNAPSHOT, r2cc605af5f07f961c2b42f83fee0671ee117390f, Thu Jul 18
21:09:55 IST 2024
Took 0.0012 seconds
NoMethodError: undefined method `gsub' for nil:NilClass
check_multiline_prompt at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/line_editor.rb:129
map at org/jruby/RubyArray.java:2803
check_multiline_prompt at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/line_editor.rb:129
rerender at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/line_editor.rb:436
inner_readline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline.rb:340
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline.rb:273
with_raw_input at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/ansi.rb:152
ttymode_yield at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/io/console/native_console.rb:32
raw at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/io/console/native_console.rb:56
with_raw_input at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline/ansi.rb:152
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/reline.rb:269
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/forwardable.rb:238
readmultiline at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/forwardable.rb:238
gets at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/input-method.rb:421
eval_input at uri:classloader:/irb/hirb.rb:95
signal_status at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb.rb:722
eval_input at uri:classloader:/irb/hirb.rb:94
lex at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:273
each_top_level_statement at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:242
loop at org/jruby/RubyKernel.java:1722
each_top_level_statement at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:239
catch at org/jruby/RubyKernel.java:1423
each_top_level_statement at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb/ruby-lex.rb:238
eval_input at uri:classloader:/irb/hirb.rb:111
run at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb.rb:443
catch at org/jruby/RubyKernel.java:1423
run at
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/irb.rb:442
<main> at classpath:/jar-bootstrap.rb:233
{code}
I plan to further debug and see what could be causing this.
Posting this thread to get a heads up for this change, keeping our
compatibility in mind and also may be have a discussion / plan on targeted
branches for a fix.
CC: [~zhangduo], [~psomogyi] [~ndimiduk]
> Bump jruby to 9.4.8.0 and related joni and jcodings
> ---------------------------------------------------
>
> Key: HBASE-28250
> URL: https://issues.apache.org/jira/browse/HBASE-28250
> Project: HBase
> Issue Type: Task
> Components: jruby
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
> This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml :
> 1.33{*} having
> [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]) from our
> classpath with following change along with several other bugs/fixes:
> * The Psych YAML library is updated to 5.1.0. This version switches the
> JRuby extension to SnakeYAML Engine, avoiding CVEs against the original
> SnakeYAML and updating YAML compatibility to specification version 1.2.
> [#6365|https://github.com/jruby/jruby/issues/6365],
> [#7570|https://github.com/jruby/jruby/issues/7570],
> [#7626|https://github.com/jruby/jruby/pull/7626]
> NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which
> 9.3.x were having!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
