Discussion on Fixing Vulnerabilities Found in Datahub-GMS and Frontend

all-things-deployment
1

Original Slack Thread

Hey, here is a list of vulnerabilities found in datahub-gms and frontend. Can you guys help fix them? Thanks

2

Package Name ID (CVSS) Fix Status
• ch.qos.logback_logback-classic 1.2.12 CVE-2023-6378 (CVSS 7.1) fixed in 1.4.12, 1.3.12
• ch.qos.logback_logback-core 1.2.12 CVE-2023-6378 (CVSS 7.1) fixed in 1.4.12, 1.3.12
• com.fasterxml.jackson.core_jackson-core 2.13.2 PRISMA-2023-0067 (CVSS 7.5) fixed in 2.15.0
• com.fasterxml.jackson.core_jackson-core 2.14.2 PRISMA-2023-0067 (CVSS 7.5) fixed in 2.15.0
• com.fasterxml.jackson.core_jackson-databind 2.15.2 CVE-2023-35116 (CVSS 4.7) fixed in 2.15.3
• com.google.guava_guava 31.0.1-jre CVE-2023-2976 (CVSS 7.1) fixed in 32.0.0
• - CVE-2020-8908 (CVSS 3.3) fixed in 32.0.0
• commons-io_commons-io 2.4 CVE-2021-29425 (CVSS 4.8) fixed in 2.7
• gnutls28 3.7.9-2 CVE-2023-5981 (CVSS 5.9) fixed in 3.7.9-2+deb12u1
• io.netty_netty-all 4.1.86.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94
• - CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100
• io.netty_netty-codec 4.1.78.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94
• - CVE-2022-41881 (CVSS 7.5) fixed in 4.1.86
• - CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100
• io.netty_netty-codec 4.1.86.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94
• - CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100
• io.netty_netty-codec-http2 4.1.86.Final CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100.Final
• - GHSA-xpw8-rcwv-8f8p (CVSS 7.5) fixed in 4.1.100.Final
• io.netty_netty-handler 4.1.78.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94.Final
• io.netty_netty-handler 4.1.86.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94.Final
• kotlin-stdlib 1.4.10 CVE-2020-29582 (CVSS 5.3) fixed in 1.4.21
• - CVE-2022-24329 (CVSS 5.3) fixed in 1.6.0
• nghttp2 1.52.0-1 CVE-2023-44487 (CVSS 7.5) fixed in 1.52.0-1+deb12u1
• opensearch 2.9.0 GHSA-6g3j-p5g6-992f (CVSS 6.5) fixed in 2.11.1, 1.3.14
• org.apache.commons_commons-compress 1.22 CVE-2023-42503 (CVSS 5.5) fixed in 1.24.0
• org.apache.zookeeper_zookeeper 3.6.3 CVE-2023-44981 (CVSS 9.1) fixed in 3.9.1, 3.8.3, 3.7.2
• org.eclipse.jetty_jetty-http 9.4.46.v20220331 CVE-2022-2047 (CVSS 2.7) fixed in 11.0.10, 10.0.10, 9.4.47
• - CVE-2023-40167 (CVSS 5.3) fixed in 12.0.1, 11.0.16, 10.0.16, 9.4.52
• org.eclipse.jetty_jetty-io 9.4.46.v20220331 CVE-2023-26049 (CVSS 5.3) fixed in 11.0.14, 10.0.14, 9.4.51
• - CVE-2023-26048 (CVSS 5.3) fixed in 11.0.14, 10.0.14, 9.4.51
• - CVE-2022-2048 (CVSS 7.5) fixed in 11.0.9, 10.0.9, 9.4.47
• - CVE-2023-36479 (CVSS 4.3) fixed in 11.0.16, 10.0.16, 9.4.52
• - CVE-2023-41900 (CVSS 4.3) fixed in 11.0.16, 10.0.16, 9.4.52
• - CVE-2023-40167 (CVSS 5.3) fixed in 12.0.1, 11.0.16, 10.0.16,…
• - CVE-2023-36478 (CVSS 7.5) fixed in 11.0.16, 10.0.16, 9.4.53
• org.eclipse.jetty_jetty-server 9.4.46.v20220331 CVE-2023-26048 (CVSS 5.3) fixed in 9.4.51.v20230217, 11.0.14, 10.0.14
• - CVE-2023-26049 (CVSS 2.4) fixed in 9.4.51.v20230217, 12.0.0.beta0, 11.0.14, 10.0.14
• org.eclipse.jetty_jetty-xml 9.4.46.v20220331 GHSA-58qw-p7qm-5rvh (CVSS 3.9) fixed in 9.4.52, 12.0.0, 10.0.16, 11.0.16
• org.glassfish.jersey.core_jersey-common 2.30 CVE-2021-28168 (CVSS 6.2) fixed in 3.0.2, 2.34
• org.json_json 20230227 CVE-2023-5072 (CVSS 7.5) fixed in 20231013
• org.springframework.kafka_spring-kafka 2.8.11 CVE-2023-34040 (CVSS 7.8) fixed in 3.0.10, 2.9.11
• org.xerial.snappy_snappy-java 1.1.10.3 CVE-2023-43642 (CVSS 7.5) fixed in 1.1.10.4
• org.xerial.snappy_snappy-java 1.1.8.3 CVE-2023-34453 (CVSS 5.9) fixed in 1.1.10.1
• - CVE-2023-34454 (CVSS 5.9) fixed in 1.1.10.1
• - CVE-2023-34455 (CVSS 7.5) fixed in 1.1.10.1
• spring-boot 2.7.14 CVE-2023-34055 (CVSS 5.3) fixed in 3.1.6, 3.0.13, 2.7.18
• spring-web 5.3.29 CVE-2016-1000027 (CVSS 9.8) fixed in 6.0.0
• - CVE-2023-6481 (CVSS 7.5) fixed in 1.8.0, 1.3.0
• java 17.0.9 CVE-2022-45146 (CVSS 5.5) fixed in 1.0.2.4

3

Here is a list for frontend

• Package Name ID (CVSS) Fix Status
• ch.qos.logback_logback-classic 1.2.12 CVE-2023-6378 (CVSS 7.1) fixed in 1.4.12, 1.3.12
• ch.qos.logback_logback-core 1.2.12 CVE-2023-6378 (CVSS 7.1) fixed in 1.4.12, 1.3.12
• com.fasterxml.jackson.core_jackson-core 2.14.2 PRISMA-2023-0067 (CVSS 7.5) fixed in 2.15.0
• com.fasterxml.jackson.core_jackson-databind 2.15.2 CVE-2023-35116 (CVSS 4.7) fixed in 2.15.3
• com.google.guava_guava 31.0.1-jre CVE-2023-2976 (CVSS 7.1) fixed in 32.0.0
• - CVE-2020-8908 (CVSS 3.3) fixed in 32.0.0
• commons-io_commons-io 2.6 CVE-2021-29425 (CVSS 4.8) fixed in 2.7
• io.netty_netty-all 4.1.86.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94
• - CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100
• io.netty_netty-codec 4.1.78.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94
• - CVE-2022-41881 (CVSS 7.5) fixed in 4.1.86
• - CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100
• io.netty_netty-codec 4.1.86.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94
• - CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100
• io.netty_netty-codec-http2 4.1.86.Final CVE-2023-44487 (CVSS 7.5) fixed in 4.1.100.Final
• - GHSA-xpw8-rcwv-8f8p (CVSS 7.5) fixed in 4.1.100.Final
• io.netty_netty-handler 4.1.78.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94.Final
• io.netty_netty-handler 4.1.86.Final CVE-2023-34462 (CVSS 6.5) fixed in 4.1.94.Final
• nghttp2 1.52.0-1 CVE-2023-44487 (CVSS 7.5) fixed in 1.52.0-1+deb12u1
• org.apache.commons_commons-compress 1.22 CVE-2023-42503 (CVSS 5.5) fixed in 1.24.0
• org.apache.shiro_shiro-core 1.11.0 CVE-2023-34478 (CVSS 9.8) fixed in 1.12.0
• org.apache.zookeeper_zookeeper 3.6.3 CVE-2023-44981 (CVSS 9.1) fixed in 3.9.1, 3.8.3, 3.7.2
• org.eclipse.jetty_jetty-http 9.4.46.v20220331 CVE-2022-2047 (CVSS 2.7) fixed in 11.0.10, 10.0.10, 9.4.47
• - CVE-2023-40167 (CVSS 5.3) fixed in 12.0.1, 11.0.16, 10.0.16, 9.4.52
• org.eclipse.jetty_jetty-io 9.4.46.v20220331 CVE-2023-26049 (CVSS 5.3) fixed in 11.0.14, 10.0.14, 9.4.51
• - CVE-2023-26048 (CVSS 5.3) fixed in 11.0.14, 10.0.14, 9.4.51
• - CVE-2022-2048 (CVSS 7.5) fixed in 11.0.9, 10.0.9, 9.4.47
• - CVE-2023-36479 (CVSS 4.3) fixed in 11.0.16, 10.0.16, 9.4.52
• - CVE-2023-41900 (CVSS 4.3) fixed in 11.0.16, 10.0.16, 9.4.52
• - CVE-2023-40167 (CVSS 5.3) fixed in 12.0.1, 11.0.16, 10.0.16,…
• - CVE-2023-36478 (CVSS 7.5) fixed in 11.0.16, 10.0.16, 9.4.53
• org.eclipse.jetty_jetty-server 9.4.46.v20220331 CVE-2023-26048 (CVSS 5.3) fixed in 9.4.51.v20230217, 11.0.14, 10.0.14
• - CVE-2023-26049 (CVSS 2.4) fixed in 9.4.51.v20230217, 12.0.0.beta0, 11.0.14, 10.0.14
• org.json_json 20230227 CVE-2023-5072 (CVSS 7.5) fixed in 20231013
• org.xerial.snappy_snappy-java 1.1.8.3 CVE-2023-34453 (CVSS 5.9) fixed in 1.1.10.1
• - CVE-2023-34454 (CVSS 5.9) fixed in 1.1.10.1
• - CVE-2023-34455 (CVSS 7.5) fixed in 1.1.10.1
• - CVE-2023-6481 (CVSS 7.5) fixed in 1.8.0, 1.3.0
• gnutls28 3.7.9-2 CVE-2023-5981 (CVSS 5.9) fixed in 3.7.9-2+deb12u1
• org.apache.shiro_shiro-core 1.11.0 CVE-2023-46750 (CVSS 6.1) fixed in 1.13.0
• curl 7.88.1-10+deb12u4 CVE-2023-46218 (CVSS 6.5) fixed in 7.88.1-10+deb12u5
• - CVE-2023-46219 (CVSS 5.3) fixed in 7.88.1-10+deb12u5

4

I believe some of these have been fixed in the most recent version, can you try upgrading and re-scan? also cc: <@UV5UEC3LN> who worked on some of those

5

Yes, a lot of these were blocked on Java 17 and Spring upgrades and should be fixed in the next release. For sure all of the Jetty, Jackson, Spring, and Logback ones are no longer valid reports

6

<@UV5UEC3LN> - can you say more about what you mean by no longer valid reports? Do you mean the CVEs are no longer valid or they’ve been fixed in the current latest release of datahub (0.12.0)?

7

I mean that they’ve been fixed in the latest version of DataHub, not that the CVEs are invalid.

8

<@UV5UEC3LN> One question about shiro-core - it has one vulnerability in the current version and is only fixed in 2.0.0 alpha release. Do you have any plan upgrading it? Thanks

9

Looks like it’s also fixed in 1.13, since it’s a medium it’s not a super high priority item for us, but if this is something blocking you we don’t make heavy utilization of shiro so it’s probably just a simple version bump if you want to issue a PR for it.

10

Here is the https://github.com/datahub-project/datahub/pull/9818|PR for upgrading shiro-core. Please take a look.

Also when you mentioned the next release, do you know when it happens?

11

https://datahubspace.slack.com/archives/C017W0NTZHR/p1707775395413679