Billy Liu created KYLIN-2879: -------------------------------- Summary: Upgrade Spring & Spring Security to fix potential vulnerability Key: KYLIN-2879 URL: https://issues.apache.org/jira/browse/KYLIN-2879 Project: Kylin Issue Type: Improvement Reporter: Billy Liu Assignee: Billy Liu Priority: Critical
After running against VersionEye, the system shows that Kylin has "14 known security vulnerabilities. ". They are from commons-fileupload, commons-email, xercesImpl, spring-webmvc, spring jdbc, spring aop, spring-context-support, spring-test, spring-security-core, tomcat-catalina, spring-core libraries. Upgrade to newer version will fix the vulnerabilities. Following is the detail report: commons-fileupload : 1.3.1 2016-3092 Apache Commons Fileupload: Denial of Service https://bugzilla.redhat.com/show_bug.cgi?id=1349475 http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3c6223ece6-2b41-ef4f-22f9-d3481e492...@apache.org%3E http://tomcat.apache.org/security.html http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092 Affected versions: <=1.3.1,1.3 && <=1.2.2,1.2 Mute this security issue CVE-2016-3092 CVE-2016-3092 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 Affected versions: 1.3.1 Mute this security issue 2016-1000031 Apache Commons FileUpload Deserialization Gadget https://www.tenable.com/security/research/tra-2016-12 https://issues.apache.org/jira/browse/FILEUPLOAD-279 https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 Affected versions: <=1.3.2 Mute this security issue commons-email : 1.4 2017-9801 SMTP header injection vulnerabilty https://commons.apache.org/proper/commons-email/security-reports.html https://nvd.nist.gov/vuln/detail/CVE-2017-9801 Affected versions: <=1.4 Mute this security issue xercesImpl : 2.11.0 2013-4002 Apache Xerces: XMLScanner resource exhaustion https://bugzilla.redhat.com/CVE-2013-4002 http://svn.apache.org/viewvc?view=revision&revision=1499506 Affected versions: <=2.11.0 Mute this security issue spring-webmvc : 4.2.8.RELEASE CVE-2016-9878 CVE-2016-9878 https://pivotal.io/security/cve-2016-9878 Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17 Mute this security issue spring-jdbc : 4.2.8.RELEASE CVE-2016-9878 CVE-2016-9878 https://pivotal.io/security/cve-2016-9878 Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17 Mute this security issue spring-aop : 4.2.8.RELEASE CVE-2016-9878 CVE-2016-9878 https://pivotal.io/security/cve-2016-9878 Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17 Mute this security issue spring-context-support : 4.2.8.RELEASE CVE-2016-9878 CVE-2016-9878 https://pivotal.io/security/cve-2016-9878 Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17 Mute this security issue spring-test : 4.2.8.RELEASE CVE-2016-9878 CVE-2016-9878 https://pivotal.io/security/cve-2016-9878 Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17 Mute this security issue spring-security-core : 4.0.4.RELEASE 2016-5007 Spring Security / MVC Path Matching Inconsistency https://pivotal.io/security/cve-2016-5007 Affected versions: <=4.1.0.RELEASE Mute this security issue tomcat-catalina : 7.0.69 2016-3092 Apache Commons Fileupload: Denial of Service https://bugzilla.redhat.com/show_bug.cgi?id=1349475 http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3c6223ece6-2b41-ef4f-22f9-d3481e492...@apache.org%3E http://tomcat.apache.org/security.html http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092 Affected versions: <=9.0.0.M7,9 && <=8.5.2,8.5 && <=8.0.35,8.0 && <=7.0.69,7 -- This message was sent by Atlassian JIRA (v6.4.14#64029)