kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-3605) Fix security issues reported by snyk.io
Date Sat, 29 Sep 2018 10:37:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16632931#comment-16632931
] 

ASF GitHub Bot commented on KYLIN-3605:
---------------------------------------

asfgit commented on issue #276: KYLIN-3605 upgrade hadoop-common and zookeeper version to
fix securit…
URL: https://github.com/apache/kylin/pull/276#issuecomment-425635058
 
 
   Can one of the admins verify this patch?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Priority: Major
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1 › commons-configuration:commons-configuration@1.6 › commons-digester:commons-digester@1.8 › commons-beanutils:commons-beanutils@1.7.0
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class property,
which allows remote attackers to manipulate the {{ClassLoader}}and execute arbitrary code
via the class parameter, as demonstrated by the passing of this parameter to the {{getClass}} method
of the {{ActionForm}}object in Struts 1.
>  
> HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty] is an
open-source project providing a HTTP server, HTTP client and javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command Execution. It writes
backtrace data without sanitizing non-printable characters, which might allow remote attackers
to modify a window's title, or possibly execute arbitrary commands or overwrite files, via
an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string
value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java
under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic
value in the Content-Length HTTP header to an arbitrary application.
> HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a framework that
allows for the distributed processing of large data sets across clusters of computers using
simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in NodeManager configs,
it may be possible for any Container launched by that NodeManager to gain access to the encryption
password. The other passwords themselves are not directly exposed.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message