Skip to content

CVE suppression (#12535)#12543

Merged
abhishekagarwal87 merged 1 commit intoapache:0.23.0from
AmatyaAvadhanula:feature-cve_suppression_18_05_2022_backport
May 19, 2022
Merged

CVE suppression (#12535)#12543
abhishekagarwal87 merged 1 commit intoapache:0.23.0from
AmatyaAvadhanula:feature-cve_suppression_18_05_2022_backport

Conversation

@AmatyaAvadhanula
Copy link
Copy Markdown
Contributor

@AmatyaAvadhanula AmatyaAvadhanula commented May 19, 2022

Backport #12535 to release 0.23.0

Suppress

  1. Ambari -> ambari-metrics-common-2.7.0.0.0.jar -> CVE-2021-4104, CVE-2020-9493, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302
  • The CVEs are being suppressed since Ambari hasn't been updated in a long time. Might consider eliminating this dependency in the future
  1. GSON -> gson-*.jar -> CVE-2022-25647
  1. Jackson -> *jackson-*.jar -> CVE-2020-36518
  1. Jedis -> jedis-2.9.0.jar -> CVE-2021-32626, CVE-2022-24735
  • The Jedis vulnerabilities are due to lua script execution in Redis. This is not applicable to druid
  1. Solr -> solr-solrj-7.7.1.jar -> CVE-2021-44548
  • This CVE only affects Windows and is not applicable to druid

@AmatyaAvadhanula AmatyaAvadhanula mentioned this pull request May 19, 2022
Merged
@abhishekagarwal87 abhishekagarwal87 added this to the 0.23.0 milestone May 19, 2022
@abhishekagarwal87 abhishekagarwal87 merged commit 7b62bb9 into apache:0.23.0 May 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.23.0

Development

Successfully merging this pull request may close these issues.

2 participants

@AmatyaAvadhanula @abhishekagarwal87