Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Java Vulnerabilities in Docker Image as of 24 April on latest image #16708

Open
pjpringle opened this issue May 13, 2024 · 3 comments
Open

Address Java Vulnerabilities in Docker Image as of 24 April on latest image #16708

pjpringle opened this issue May 13, 2024 · 3 comments
Labels
type/feature
Milestone
release-1.10

Comments

@pjpringle
Copy link

Docker image has a lot of java libraries which fail enterprise vulnerability scans.

package version fix_version id severity
log4j:log4j 1.2.17 CVE-2019-17571 Critical
log4j:log4j 1.2.17 CVE-2022-23305 Critical
org.yaml:snakeyaml 1.33 CVE-2022-1471 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.4, 2.8.11 CVE-2017-15095 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11, 2.9.4 CVE-2017-17485 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.7.9.1, 2.6.7.1, 2.8.9 CVE-2017-7525 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.2, 2.7.9.4, 2.9.6 CVE-2018-11307 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.7.9.5, 2.8.11.3, 2.9.7 CVE-2018-14718 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.7.9.5, 2.8.11.3, 2.9.7 CVE-2018-14719 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.1, 2.9.5 CVE-2018-7489 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.9.2 CVE-2019-14379 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10 CVE-2019-14540 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10, 2.8.11.5, 2.6.7.3 CVE-2019-14892 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.5, 2.9.10 CVE-2019-14893 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10 CVE-2019-16335 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.1 CVE-2019-16942 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.1 CVE-2019-16943 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10 CVE-2019-17267 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.1 CVE-2019-17531 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.6.7.4, 2.7.9.7, 2.9.10.2, 2.8.11.5 CVE-2019-20330 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.6.7.4, 2.7.9.7, 2.9.10.3, 2.8.11.5 CVE-2020-8840 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-9547 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-9548 Critical
log4j:log4j 1.2.17 CVE-2022-23307 High
log4j:log4j 1.2.17 CVE-2021-4104 High
log4j:log4j 1.2.17 CVE-2022-23302 High
com.google.protobuf:protobuf-java 3.7.1 3.16.3, 3.19.6, 3.20.3, 3.21.7 CVE-2022-3171 High
com.google.protobuf:protobuf-java 3.7.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3509 High
com.google.protobuf:protobuf-java 3.7.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3510 High
net.minidev:json-smart 1.3.2 2.4.4, 1.3.3 CVE-2021-31684 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36179 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.2, 2.7.9.4, 2.9.6 CVE-2018-12022 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.4, 2.8.11 CVE-2018-5968 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.9 CVE-2019-12086 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.9.2 CVE-2019-14439 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-10650 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-10673 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.6 CVE-2020-24616 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.6, 2.6.7.5 CVE-2020-24750 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.10.5.1, 2.9.10.7, 2.6.7.4 CVE-2020-25649 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-35490 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-35491 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36180 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36181 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36182 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36183 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36184 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36185 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36186 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36187 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36188 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36189 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.12.6.1, 2.13.2.1 CVE-2020-36518 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.7 CVE-2021-20190 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.13.4.1, 2.12.7.1 CVE-2022-42003 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.13.4, 2.12.7.1 CVE-2022-42004 High
com.fasterxml.woodstox:woodstox-core 5.3.0 5.4.0, 6.4.0 CVE-2022-40151 High
com.fasterxml.woodstox:woodstox-core 5.3.0 5.4.0, 6.4.0 CVE-2022-40152 High
com.google.code.gson:gson 2.8.1 2.8.9 CVE-2022-25647 High
io.netty:netty-all 4.1.12.Final 4.1.42.Final CVE-2019-16869 High
com.google.protobuf:protobuf-java 3.3.1 3.16.3, 3.19.6, 3.20.3, 3.21.7 CVE-2022-3171 High
com.google.protobuf:protobuf-java 3.3.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3509 High
com.google.protobuf:protobuf-java 3.3.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3510 High
io.netty:netty-all 4.1.12.Final 4.1.86 CVE-2022-41881 High
org.apache.thrift:libthrift 0.9.3 0.14.0 CVE-2020-13949 High
org.apache.ant:ant 1.9.1 1.10.9 CVE-2020-11979 High
org.apache.hadoop:hadoop-yarn-server-common 3.1.0 3.3.2, 3.2.3, 2.10.2 CVE-2021-33036 High
org.apache.thrift:libthrift 0.9.3 0.12.0 CVE-2018-1320 High
org.apache.thrift:libthrift 0.9.3 0.13.0 CVE-2019-0205 High
org.apache.thrift:libthrift 0.9.3 0.13.0 CVE-2019-0210 High
org.codehaus.jettison:jettison 1.1 1.5.1 CVE-2022-40149 High
org.codehaus.jettison:jettison 1.1 1.5.2 CVE-2022-40150 High
org.codehaus.jettison:jettison 1.1 1.5.2 CVE-2022-45685 High
org.codehaus.jettison:jettison 1.1 1.5.2 CVE-2022-45693 High
org.apache.hadoop:hadoop-hdfs 2.2.0 2.7.0 CVE-2017-3162 High
org.apache.hadoop:hadoop-hdfs 2.2.0 2.10.1, 3.1.4, 3.2.2 CVE-2020-9492 High
org.codehaus.jackson:jackson-mapper-asl 1.9.2 CVE-2019-10172 High
@github-actions github-actions bot added this to the release-1.10 milestone May 13, 2024
@neverchanje
Copy link
Contributor

@pjpringle Could you share which RisingWave version are you using?

@pjpringle
Copy link
Author

1.8

@neverchanje
Copy link
Contributor

neverchanje commented May 20, 2024
edited

Hi, @pjpringle

I believe that most of these reported vulnerabilities are not due to the direct dependency of RisingWave. For example, we were actually using <jackson.version>2.13.5</jackson.version> in 1.8 but the reported version is
2.4.0.

See https://github.com/risingwavelabs/risingwave/blob/v1.8.0/java/pom.xml

May I ask which tool are you using to detect these issues?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/feature
Projects
None yet
Milestone
release-1.10
Development

No branches or pull requests
2 participants
@neverchanje @pjpringle