Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress Hadoop and jose4j cve #15425

Merged
merged 1 commit into from
Nov 24, 2023
Merged

Suppress Hadoop and jose4j cve #15425

merged 1 commit into from
Nov 24, 2023

Conversation

kfaraz
Copy link
Contributor

@kfaraz kfaraz commented Nov 23, 2023

Changes

  • Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses this
  • Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.

@kfaraz
Copy link
Contributor Author

kfaraz commented Nov 24, 2023
edited
Loading

Thanks for the review, @abhishekagarwal87 ! There seem to be a few more CVEs coming from druid-ranger-security but these are already being addressed in #15407

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.4:check (default-cli) on project druid-ranger-security: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
[ERROR] 
[ERROR] aggs-matrix-stats-client-7.10.2.jar: CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
[ERROR] aws-java-sdk-bundle-1.12.125.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2021-46877(7.5), CVE-2020-36518(7.5)
[ERROR] aws-java-sdk-bundle-1.12.125.jar/META-INF/maven/io.netty/netty-codec/pom.xml: CVE-2022-41881(7.5)
[ERROR] aws-java-sdk-bundle-1.12.125.jar/META-INF/maven/io.netty/netty-transport/pom.xml: CVE-2022-41881(7.5)
[ERROR] elasticsearch-core-7.10.2.jar: CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
[ERROR] kafka-clients-2.8.1.jar: CVE-2023-25194(8.8)
[ERROR] lang-mustache-client-7.10.2.jar: CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
[ERROR] mapper-extras-client-7.10.2.jar: CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
[ERROR] parent-join-client-7.10.2.jar: CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
[ERROR] rank-eval-client-7.10.2.jar: CVE-2023-31419(7.5), CVE-2023-31417(7.5), CVE-2023-31418(7.5)
[ERROR] spatial4j-0.7.jar: CVE-2014-125074(9.8)
[ERROR] woodstox-core-6.2.4.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xml: CVE-2023-34411(7.5)

@kfaraz kfaraz merged commit 75d6993 into apache:master Nov 24, 2023
87 of 89 checks passed
@kfaraz kfaraz deleted the address_vulnerabilities branch November 24, 2023 03:55
yashdeep97 pushed a commit to yashdeep97/druid that referenced this pull request Dec 1, 2023
@kfaraz
Suppress Hadoop and jose4j cve (apache#15425)
e958957 
Changes
- Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses
- Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
yashdeep97 pushed a commit to yashdeep97/druid that referenced this pull request Dec 1, 2023
@kfaraz
Suppress Hadoop and jose4j cve (apache#15425)
aa2d1aa 
Changes
- Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses
- Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
@xvrl xvrl mentioned this pull request Dec 15, 2023
Closed
@LakshSingla LakshSingla added this to the 29.0.0 milestone Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhishekagarwal87 abhishekagarwal87 abhishekagarwal87 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
29.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@kfaraz @abhishekagarwal87 @LakshSingla