Skip to content

Suppress CVEs for Solr and org.codehaus.jackson#11030

Merged
jihoonson merged 2 commits intoapache:masterfrom
jihoonson:suppress-cves
Mar 24, 2021
Merged

Suppress CVEs for Solr and org.codehaus.jackson#11030
jihoonson merged 2 commits intoapache:masterfrom
jihoonson:suppress-cves

Conversation

@jihoonson
Copy link
Copy Markdown
Contributor

@jihoonson jihoonson commented Mar 24, 2021

Description

The security vulnerability check CI is failing against master with the below error (https://travis-ci.com/github/apache/druid/builds/221003723):

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.3:aggregate (default-cli) on project druid: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
[ERROR] 
[ERROR] jackson-xc-1.9.13.jar: CVE-2018-14718, CVE-2018-7489
[ERROR] jackson-xc-1.9.2.jar: CVE-2018-14718, CVE-2018-7489
[ERROR] libthrift-0.13.0.jar: CVE-2020-13949
[ERROR] solr-solrj-7.7.1.jar: CVE-2020-13957, CVE-2019-0193, CVE-2019-17558, CVE-2020-13941

This PR suppresses all these CVEs except for CVE-2020-13949 which should be addressed in #11028.

Analysis of CVEs:

  • CVEs for Solr 7.7.1 (CVE-2020-13957, CVE-2019-0193, CVE-2019-17558, CVE-2020-13941): The ranger-security extension has a dependency on ranger-plugins-audit which supports SolrAuditProvider. These CVEs seem exploitable on the server side only.
  • CVEs for jackson-xc and jackson-jaxrs (CVE-2018-14718, CVE-2018-7489): These are used in the ranger-security, ambari-metrics-emitter, and aliyun-oss extensions. I think these vulnerabilities are legitimate at least for the aliyun-oss extension and so created Bump Aliyun OSS Java SDK version #11029. For other extensions, I assume they are legit as well as I'm not 100% sure how they are using jackson. However, their latest releases still use the same vulnerable version of 1.9.x, so I would suggest suppressing them until they release a new version that has the fix.

This PR has:

  • been self-reviewed.

@jihoonson jihoonson changed the title Suppress cves Suppress CVEs for Solr and org.codehaus.jackson Mar 24, 2021
@jihoonson
Copy link
Copy Markdown
Contributor Author

jihoonson commented Mar 24, 2021

@jon-wei @clintropolis thank you for the quick review. I'm merging this PR without waiting for the CI as the security vulnerability CI doesn't run per PR. I manually ran mvn dependency-check:aggregate -pl '!integration-tests' and got the result below which is expected:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.3:aggregate (default-cli) on project druid: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
[ERROR] 
[ERROR] libthrift-0.13.0.jar: CVE-2020-13949

@jihoonson jihoonson merged commit efc5d7d into apache:master Mar 24, 2021
jihoonson added a commit that referenced this pull request Mar 25, 2021
@jihoonson
Suppress CVEs for Solr and org.codehaus.jackson (#11030)
83a0624 
* Suppress CVEs for Solr and org.codehaus.jackson

* add a comment
jihoonson added a commit to jihoonson/druid that referenced this pull request Apr 14, 2021
@jihoonson
Suppress CVEs for Solr and org.codehaus.jackson (apache#11030)
c241229 
* Suppress CVEs for Solr and org.codehaus.jackson

* add a comment
@jihoonson jihoonson mentioned this pull request Apr 14, 2021
Merged
@jihoonson jihoonson added this to the 0.21.0 milestone Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clintropolis clintropolis clintropolis approved these changes

@jon-wei jon-wei jon-wei approved these changes

Assignees

No one assigned

Labels

Security

Projects

None yet

Milestone

0.21.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jihoonson @clintropolis @jon-wei