kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "XuCongying (Jira)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-4394) There are several CVEs in the project dependencies
Date Mon, 02 Mar 2020 16:03:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-4394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049355#comment-17049355
] 

XuCongying commented on KYLIN-4394:
-----------------------------------

There are more details, and you can check it in "Attachments" (apache-kylin_CVE-report.md)

 

I found that the buggy methods of the CVEs are in the program execution path of your project,
which makes your project at risk. I have suggested some version updates. Here is the detailed
information:
 * *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.1

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.getLong(java.lang.String,long),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  storage-hbase/src/main/java/org/apache/kylin/storage/hbase/steps/HFileOutputFormat3.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.getLong(java.lang.String,long)
org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** Files in your project:  storage-hbase/src/main/java/org/apache/kylin/storage/hbase/HBaseConnection.java

 *** One of the possible call chain:
  org.apache.hadoop.conf.Configuration.getTrimmedStringCollection(java.lang.String)
  org.apache.hadoop.conf.Configuration.get(java.lang.String)
  org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.security.UserGroupInformation.getCurrentUser(),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  storage-hbase/src/main/java/org/apache/kylin/storage/hbase/util/PingHBaseCLI.java

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getCurrentUser()
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  storage-hbase/src/main/java/org/apache/kylin/storage/hbase/steps/HFileOutputFormat3.java,
engine-mr/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java, storage-hbase/src/main/java/org/apache/kylin/storage/hbase/HBaseConnection.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.io.SequenceFile.Reader.next(org.apache.hadoop.io.Writable,org.apache.hadoop.io.Writable),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  engine-mr/src/main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java,
core-common/src/main/java/org/apache/kylin/common/util/HadoopUtil.java

 *** One of the possible call chain:
org.apache.hadoop.io.SequenceFile.Reader.next(org.apache.hadoop.io.Writable,org.apache.hadoop.io.Writable)
[buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[]),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  engine-mr/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java

 *** One of the possible call chain:
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** Files in your project:  storage-hbase/src/main/java/org/apache/kylin/storage/hbase/steps/HFileOutputFormat3.java,
core-common/src/main/java/org/apache/kylin/common/util/HadoopUtil.java

 *** One of the possible call chain:
  org.apache.hadoop.io.SequenceFile.createWriter(org.apache.hadoop.fs.FileSystem,org.apache.hadoop.conf.Configuration,org.apache.hadoop.fs.Path,java.lang.Class,java.lang.Class)
  org.apache.hadoop.io.SequenceFile.createWriter(org.apache.hadoop.conf.Configuration,org.apache.hadoop.io.SequenceFile$Writer$Option[])
  org.apache.hadoop.io.SequenceFile.getDefaultCompressionType(org.apache.hadoop.conf.Configuration)
  org.apache.hadoop.conf.Configuration.get(java.lang.String)
  org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  source-hive/src/main/java/org/apache/kylin/source/hive/MRHiveDictUtil.java,
storage-hbase/src/main/java/org/apache/kylin/storage/hbase/steps/HFileOutputFormat3.java,
core-common/src/main/java/org/apache/kylin/common/util/HadoopUtil.java, engine-mr/src/main/java/org/apache/kylin/engine/mr/streaming/ColumnarSplitInputFormat.java,
engine-mr/src/main/java/org/apache/kylin/engine/mr/common/HadoopCmdOutput.java

 *** One of the possible call chain:
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.get(java.net.URI,org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.getDefaultUri(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  storage-hbase/src/main/java/org/apache/kylin/storage/hbase/steps/HFileOutputFormat3.java,
storage-hbase/src/main/java/org/apache/kylin/storage/hbase/util/HBaseRegionSizeCalculator.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean)
org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project: 

storage-hbase/src/main/java/org/apache/kylin/storage/hbase/steps/HFileOutputFormat3.java,
storage-hbase/src/main/java/org/apache/kylin/storage/hbase/util/PrintHBaseConfig.java, storage-hbase/src/main/java/org/apache/kylin/storage/hbase/HBaseConnection.java,
stream-core/src/main/java/org/apache/kylin/stream/core/util/HDFSUtil.java, engine-mr/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java,
 core-common/src/main/java/org/apache/kylin/common/util/HadoopUtil.java, core-common/src/main/java/org/apache/kylin/common/util/ZKUtil.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(java.lang.String,java.lang.String),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  server/src/main/java/org/apache/kylin/rest/DebugTomcat.java

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(java.lang.String,java.lang.String)
org.apache.hadoop.security.UserGroupInformation.isSecurityEnabled()
org.apache.hadoop.security.UserGroupInformation.isAuthenticationMethodEnabled(org.apache.hadoop.security.UserGroupInformation$AuthenticationMethod)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Some files in your project call the library method org.apache.hadoop.security.UserGroupInformation.isSecurityEnabled(),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  server/src/main/java/org/apache/kylin/rest/DebugTomcat.java

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.isSecurityEnabled()
org.apache.hadoop.security.UserGroupInformation.isAuthenticationMethodEnabled(org.apache.hadoop.security.UserGroupInformation$AuthenticationMethod)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
 ** *Update suggestion:* version 3.2.0 3.2.0 is a safe version without CVEs. From 2.7.1 to
3.2.0, 1 of the APIs (called by 31 times in your project) was removed, 37 APIs (called by
162 times in your project) were modified.

 ** *Some files in your project call the library method org.apache.hadoop.io.SequenceFile.createWriter(org.apache.hadoop.fs.FileSystem,org.apache.hadoop.conf.Configuration,org.apache.hadoop.fs.Path,java.lang.Class,java.lang.Class),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.getTrimmedStringCollection(java.lang.String),
which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

> There are several CVEs in the project dependencies
> --------------------------------------------------
>
>                 Key: KYLIN-4394
>                 URL: https://issues.apache.org/jira/browse/KYLIN-4394
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>            Reporter: XuCongying
>            Assignee: Yaqian Zhang
>            Priority: Major
>         Attachments: apache-kylin_CVE-report.md
>
>
> I noticed some of your libraries contained CVEs. I suggest updating their versions to
increase the security of your project. The following is a detailed content.
>  * *Vulnerable Library Version:* org.scala-lang : scala-compiler : 2.11.0 *CVE ID:* [CVE-2017-15288|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15288]
*Import Path:* engine-flink/pom.xml, kylin-it/pom.xml, engine-spark/pom.xml *Suggested Safe
Versions:* 2.11.12, 2.12.10, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.13.0, 2.13.0-M1,
2.13.0-M2, 2.13.0-M3, 2.13.0-M3-f73b161, 2.13.0-M4, 2.13.0-M4-pre-20d3c21, 2.13.0-M5, 2.13.0-M5-1775dba,
2.13.0-M5-5eef812, 2.13.0-M5-6e0cba7, 2.13.0-RC1, 2.13.0-RC2, 2.13.0-RC3, 2.13.1
>  * *Vulnerable Library Version:* org.apache.tomcat : tomcat-catalina : 7.0.91 *CVE ID:*
[CVE-2016-8735|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735], [CVE-2019-0232|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232],
[CVE-2016-6794|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794], [CVE-2016-6816|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816],
[CVE-2016-8745|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745], [CVE-2019-17563|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563]
*Import Path:* tomcat-ext/pom.xml, server/pom.xml, server-base/pom.xml *Suggested Safe Versions:*
10.0.0-M1, 7.0.100, 9.0.30, 9.0.31
>  * *Vulnerable Library Version:* com.h2database : h2 : 1.4.196 *CVE ID:* [CVE-2018-10054|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054],
[CVE-2018-14335|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335] *Import Path:*
server/pom.xml, kylin-it/pom.xml, source-jdbc/pom.xml, source-hive/pom.xml, datasource-sdk/pom.xml
*Suggested Safe Versions:* 1.4.198, 1.4.199, 1.4.200
>  * *Vulnerable Library Version:* com.google.guava : guava : 14.0 *CVE ID:* [CVE-2018-10237|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237]
*Import Path:* core-storage/pom.xml, stream-receiver/pom.xml, server/pom.xml, core-cube/pom.xml,
core-metadata/pom.xml, jdbc/pom.xml, tool-assembly/pom.xml, core-metrics/pom.xml *Suggested
Safe Versions:* 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre,
26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android,
27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>  * *Vulnerable Library Version:* org.apache.hive.hcatalog : hive-hcatalog-core : 1.2.1
*CVE ID:* [CVE-2015-7521|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521] *Import
Path:* metrics-reporter-hive/pom.xml, assembly/pom.xml, server/pom.xml, kylin-it/pom.xml,
source-jdbc/pom.xml, source-hive/pom.xml, server-base/pom.xml *Suggested Safe Versions:* 1.2.2,
2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0,
3.1.0, 3.1.1, 3.1.2
>  * *Vulnerable Library Version:* org.apache.spark : spark-core_2.11 : 2.3.2 *CVE ID:*
[CVE-2017-7678|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678], [CVE-2018-3826|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3826],
[CVE-2018-11770|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11770], [CVE-2019-10099|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10099]
*Import Path:* server/pom.xml, kylin-it/pom.xml, engine-spark/pom.xml, storage-hbase/pom.xml
*Suggested Safe Versions:* 2.4.5
>  * *Vulnerable Library Version:* org.apache.kafka : kafka_2.11 : 1.0.0 *CVE ID:* [CVE-2018-1288|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288],
[CVE-2019-17196|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196] *Import Path:*
assembly/pom.xml, source-kafka/pom.xml, kylin-it/pom.xml, stream-source-kafka/pom.xml, metrics-reporter-kafka/pom.xml
*Suggested Safe Versions:* 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
>  * *Vulnerable Library Version:* org.apache.hive : hive-jdbc : 1.2.1 *CVE ID:* [CVE-2016-3083|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083],
[CVE-2015-7521|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521], [CVE-2018-1282|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282]
*Import Path:* server/pom.xml, source-jdbc/pom.xml, source-hive/pom.xml *Suggested Safe Versions:*
2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>  * *Vulnerable Library Version:* org.apache.hadoop : hadoop-hdfs : 2.7.1 *CVE ID:* [CVE-2016-5001|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5001],
[CVE-2018-11768|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768] *Import Path:*
metrics-reporter-hive/pom.xml, assembly/pom.xml, stream-core/pom.xml, stream-receiver/pom.xml,
server/pom.xml, kylin-it/pom.xml, engine-mr/pom.xml, storage-hbase/pom.xml *Suggested Safe
Versions:* 2.10.0, 2.8.5, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  * *Vulnerable Library Version:* org.springframework : spring-core : 4.3.10.RELEASE *CVE
ID:* [CVE-2018-1272|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272] *Import
Path:* tool/pom.xml *Suggested Safe Versions:* 4.3.15.RELEASE, 4.3.16.RELEASE, 4.3.17.RELEASE,
4.3.18.RELEASE, 4.3.19.RELEASE, 4.3.20.RELEASE, 4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE,
4.3.24.RELEASE, 4.3.25.RELEASE, 4.3.26.RELEASE, 5.0.10.RELEASE, 5.0.11.RELEASE, 5.0.12.RELEASE,
5.0.13.RELEASE, 5.0.14.RELEASE, 5.0.15.RELEASE, 5.0.16.RELEASE, 5.0.5.RELEASE, 5.0.6.RELEASE,
5.0.7.RELEASE, 5.0.8.RELEASE, 5.0.9.RELEASE, 5.1.0.RELEASE, 5.1.1.RELEASE, 5.1.10.RELEASE,
5.1.11.RELEASE, 5.1.12.RELEASE, 5.1.13.RELEASE, 5.1.2.RELEASE, 5.1.3.RELEASE, 5.1.4.RELEASE,
5.1.5.RELEASE, 5.1.6.RELEASE, 5.1.7.RELEASE, 5.1.8.RELEASE, 5.1.9.RELEASE, 5.2.0.RELEASE,
5.2.1.RELEASE, 5.2.2.RELEASE, 5.2.3.RELEASE
>  * *Vulnerable Library Version:* com.fasterxml.jackson.core : jackson-databind : 2.9.5
*CVE ID:* [CVE-2019-16335|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335],
[CVE-2019-12814|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814], [CVE-2018-19362|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362],
[CVE-2018-19360|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360], [CVE-2019-14439|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439],
[CVE-2019-16943|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943], [CVE-2019-14379|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379],
[CVE-2019-14540|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540], [CVE-2019-17267|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267],
[CVE-2018-12023|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023], [CVE-2020-8840|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840],
[CVE-2019-20330|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330], [CVE-2019-12384|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384],
[CVE-2019-12086|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086], [CVE-2018-14720|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720],
[CVE-2018-14721|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721], [CVE-2018-14719|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719],
[CVE-2019-17531|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531], [CVE-2018-14718|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718],
[CVE-2018-11307|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307], [CVE-2018-19361|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361],
[CVE-2019-16942|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942] *Import Path:*
core-common/pom.xml, stream-receiver/pom.xml *Suggested Safe Versions:* 2.10.0, 2.10.1, 2.10.2,
2.9.10.3
>  * *Vulnerable Library Version:* org.springframework.security : spring-security-core
: 4.2.3.RELEASE *CVE ID:* [CVE-2019-3795|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795],
[CVE-2019-11272|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272] *Import Path:*
stream-receiver/pom.xml *Suggested Safe Versions:* 4.2.13.RELEASE, 4.2.14.RELEASE, 5.0.12.RELEASE,
5.0.13.RELEASE, 5.0.14.RELEASE, 5.1.5.RELEASE, 5.1.6.RELEASE, 5.1.7.RELEASE, 5.1.8.RELEASE,
5.2.0.RELEASE, 5.2.1.RELEASE, 5.2.2.RELEASE
>  * *Vulnerable Library Version:* org.apache.hadoop : hadoop-common : 2.7.1 *CVE ID:*
[CVE-2016-5393|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5393], [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009],
[CVE-2016-6811|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811], [CVE-2017-15718|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718],
[CVE-2016-3086|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3086], [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713],
[CVE-2018-8029|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029] *Import Path:*
core-storage/pom.xml, tomcat-ext/pom.xml...(The rest of the 33 paths is hidden.) *Suggested
Safe Versions:* 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  * *Vulnerable Library Version:* org.apache.httpcomponents : httpclient : 4.2.5 *CVE
ID:* [CVE-2014-3577|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577], [CVE-2015-5262|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262]
*Import Path:* core-common/pom.xml, jdbc/pom.xml *Suggested Safe Versions:* 4.3.6, 4.4, 4.4-alpha1,
4.4-beta1, 4.4.1, 4.5, 4.5.1, 4.5.10, 4.5.11, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8,
4.5.9
>  * *Vulnerable Library Version:* org.springframework : spring-webmvc : 4.3.10.RELEASE
*CVE ID:* [CVE-2018-15756|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756],
[CVE-2018-1271|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271], [CVE-2018-1199|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199]
*Import Path:* stream-receiver/pom.xml, server-base/pom.xml *Suggested Safe Versions:* 4.3.20.RELEASE,
4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE, 4.3.24.RELEASE, 4.3.25.RELEASE, 4.3.26.RELEASE,
5.0.16.RELEASE, 5.1.13.RELEASE, 5.2.3.RELEASE
>  * *Vulnerable Library Version:* org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.1
*CVE ID:* [CVE-2017-3166|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166] *Import
Path:* engine-flink/pom.xml, server/pom.xml, kylin-it/pom.xml, engine-mr/pom.xml *Suggested
Safe Versions:* 2.10.0, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5,
2.9.0, 2.9.1, 2.9.2, 3.0.0-alpha4, 3.0.0-beta1, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2,
3.1.3, 3.2.0, 3.2.1
>  * *Vulnerable Library Version:* org.apache.commons : commons-compress : 1.18 *CVE ID:*
[CVE-2019-12402|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402] *Import Path:*
core-common/pom.xml *Suggested Safe Versions:* 1.19, 1.20
>  * *Vulnerable Library Version:* org.eclipse.jetty : jetty-server : 9.3.22.v20171030
*CVE ID:* [CVE-2017-7656|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656], [CVE-2019-10247|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247],
[CVE-2017-7657|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657], [CVE-2017-7658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658],
[CVE-2018-12536|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536] *Import Path:*
stream-receiver/pom.xml, server/pom.xml, server-base/pom.xml *Suggested Safe Versions:* 10.0.0-alpha0,
10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120,
9.4.25.v20191220, 9.4.26.v20200117
>  * *Vulnerable Library Version:* mysql : mysql-connector-java : 5.1.8 *CVE ID:* [CVE-2019-2692|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2692],
[CVE-2017-3523|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523], [CVE-2017-3589|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589]
*Import Path:* core-common/pom.xml, server/pom.xml, kylin-it/pom.xml *Suggested Safe Versions:*
8.0.16, 8.0.17, 8.0.18, 8.0.19
>  * *Vulnerable Library Version:* org.postgresql : postgresql : 42.1.1 *CVE ID:* [CVE-2018-10936|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10936]
*Import Path:* datasource-sdk/pom.xml *Suggested Safe Versions:* 42.2.10, 42.2.10.jre6, 42.2.10.jre7,
42.2.5, 42.2.5.jre6, 42.2.5.jre7, 42.2.6, 42.2.6.jre6, 42.2.6.jre7, 42.2.7, 42.2.7.jre6, 42.2.7.jre7,
42.2.8, 42.2.8.jre6, 42.2.8.jre7, 42.2.9, 42.2.9.jre6, 42.2.9.jre7
>  * *Vulnerable Library Version:* xerces : xercesImpl : 2.11.0 *CVE ID:* [CVE-2012-0881|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881],
[CVE-2013-4002|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002] *Import Path:*
kylin-it/pom.xml *Suggested Safe Versions:* 2.12.0



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message