New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE suppression (#12535) #12543

Merged

abhishekagarwal87 merged 1 commit into apache:0.23.0 from AmatyaAvadhanula:feature-cve_suppression_18_05_2022_backport

May 19, 2022

Contributor

AmatyaAvadhanula commented May 19, 2022

Backport #12535 to release 0.23.0

Suppress

Ambari -> ambari-metrics-common-2.7.0.0.0.jar -> CVE-2021-4104, CVE-2020-9493, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302

The CVEs are being suppressed since Ambari hasn't been updated in a long time. Might consider eliminating this dependency in the future

GSON -> gson-*.jar -> CVE-2022-25647

This CVE only affects code using java serialization and doesn't affect druid. (Prevent Java deserialization of internal classes google/gson#1991 (comment))

Jackson -> *jackson-*.jar -> CVE-2020-36518

The issue may occur due to large object depth when using jackson. Suppressing for now. A jackson update to mitigate this is being considered as well. One such PR is Bump Jackson to 2.12.6.20220326 (CVE-2020-36518) #12411

Jedis -> jedis-2.9.0.jar -> CVE-2021-32626, CVE-2022-24735

The Jedis vulnerabilities are due to lua script execution in Redis. This is not applicable to druid

Solr -> solr-solrj-7.7.1.jar -> CVE-2021-44548

This CVE only affects Windows and is not applicable to druid


          CVE suppression (apache#12535)

771f3df

AmatyaAvadhanula mentioned this pull request

CVE suppression #12535

Merged

abhishekagarwal87 added this to the 0.23.0 milestone

abhishekagarwal87 merged commit 7b62bb9 into apache:0.23.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet