kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shaofeng SHI (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (KYLIN-3605) Fix security issues reported by snyk.io
Date Sat, 29 Sep 2018 10:38:00 GMT

     [ https://issues.apache.org/jira/browse/KYLIN-3605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Shaofeng SHI reassigned KYLIN-3605:
-----------------------------------

    Assignee: Shaofeng SHI

> Fix security issues reported by snyk.io
> ---------------------------------------
>
>                 Key: KYLIN-3605
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3605
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: Shaofeng SHI
>            Priority: Major
>             Fix For: v2.6.0
>
>
> HIGH SEVERITY
> h1. Arbitrary Code Execution
>  * Vulnerable module: commons-beanutils:commons-beanutils
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1 › commons-configuration:commons-configuration@1.6 › commons-digester:commons-digester@1.8 › commons-beanutils:commons-beanutils@1.7.0
> *Remediation:* No remediation path available.
> h2. Overview
> [{{commons-beanutils:commons-beanutils}}|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-beanutils%22]
> Vulnerable versions of _Apache Commons BeanUtils_, do not suppress the class property,
which allows remote attackers to manipulate the {{ClassLoader}}and execute arbitrary code
via the class parameter, as demonstrated by the passing of this parameter to the {{getClass}} method
of the {{ActionForm}}object in Struts 1.
>  
> HIGH SEVERITY
> h1. Arbitrary Command Execution
>  * Vulnerable module: org.mortbay.jetty:jetty
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1 ›org.mortbay.jetty:jetty@6.1.26
> *Remediation:* No remediation path available.
> h2. Overview
> [org.mortbay.jetty:jetty|https://mvnrepository.com/artifact/org.mortbay.jetty] is an
open-source project providing a HTTP server, HTTP client and javax.servlet container.
> Affected versions of this package are vulnerable to Arbitrary Command Execution. It writes
backtrace data without sanitizing non-printable characters, which might allow remote attackers
to modify a window's title, or possibly execute arbitrary commands or overwrite files, via
an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string
value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java
under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic
value in the Content-Length HTTP header to an arbitrary application.
> HIGH SEVERITY
> h1. Information Exposure
>  * Vulnerable module: org.apache.hadoop:hadoop-common
>  * Introduced through: org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT
> h2. Detailed paths and remediation
>  * 
> *Introduced through*: org.apache.kylin:kylin-core-metadata@2.6.0-SNAPSHOT › org.apache.kylin:kylin-core-common@2.6.0-SNAPSHOT ›com.github.joshelser:dropwizard-metrics-hadoop-metrics2-reporter@0.1.2 › org.apache.hadoop:hadoop-common@2.7.1
> *Remediation:* No remediation path available.
> h2. Overview
> [{{org.apache.hadoop:hadoop-common}}|https://hadoop.apache.org/] is a framework that
allows for the distributed processing of large data sets across clusters of computers using
simple programming models.
> Affected versions of the package are vulnerable to Information Exposure.
> If you use the CredentialProvider feature to encrypt passwords used in NodeManager configs,
it may be possible for any Container launched by that NodeManager to gain access to the encryption
password. The other passwords themselves are not directly exposed.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message