search

Intel-bigdata / HiBench

HiBench is a big data benchmark suite.
Other
1.45k stars 765 forks source link

Dependency org.apache.zookeeper:zookeeper, leading to CVE problem #684

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In HiBench-7.1.1/sparkbench/ml graph,there is a dependency org.apache.zookeeper:zookeeper:3.4.5 that calls the risk method.

CVE-2019-0201

The scope of this CVE affected version is [,3.4.14),[3.5.0-alpha, 3.5.5)

After further analysis, in this project, the main Api called is <org.apache.zookeeper.server.FinalRequestProcessor: void processRequest(org.apache.zookeeper.server.Request)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

<org.apache.zookeeper.server.FinalRequestProcessor: void processRequest(org.apache.zookeeper.server.Request)>
at <org.apache.zookeeper.server.quorum.CommitProcessor: void run()> (org.apache.zookeeper.server.quorum.CommitProcessor.java:[74]) in /.m2/repository/org/apache/zookeeper/zookeeper/3.4.5/zookeeper-3.4.5.jar
at <org.apache.spark.scheduler.LiveListenerBus: void start(org.apache.spark.SparkContext)> (org.apache.spark.scheduler.LiveListenerBus.java:[104]) in /.m2/repository/org/apache/spark/spark-core_2.11/2.0.0/spark-core_2.11-2.0.0.jar
at <org.apache.spark.SparkContext: void setupAndStartListenerBus()> (org.apache.spark.SparkContext.java:[2140]) in /.m2/repository/org/apache/spark/spark-core_2.11/2.0.0/spark-core_2.11-2.0.0.jar
at <org.apache.spark.SparkContext: void <init>(org.apache.spark.SparkConf)> (org.apache.spark.SparkContext.java:[544]) in /.m2/repository/org/apache/spark/spark-core_2.11/2.0.0/spark-core_2.11-2.0.0.jar
at <com.intel.hibench.sparkbench.ml.LogisticRegressionDataGenerator$: void main(java.lang.String[])> (com.intel.hibench.sparkbench.ml.LogisticRegressionDataGenerator$.java:[68]) in /detect/unzip/HiBench-7.1.1/sparkbench/ml/target/classes

Dependency tree--

[INFO] com.intel.hibench.sparkbench:sparkbench-ml:jar:7.1.1
[INFO] +- com.intel.hibench.sparkbench:sparkbench-common:jar:7.1.1:compile
[INFO] |  \- org.apache.hadoop:hadoop-common:jar:2.4.0:compile
[INFO] |     +- org.apache.hadoop:hadoop-annotations:jar:2.4.0:compile
[INFO] |     |  \- jdk.tools:jdk.tools:jar:1.6:system
[INFO] |     +- commons-cli:commons-cli:jar:1.2:compile
[INFO] |     +- xmlenc:xmlenc:jar:0.52:compile
[INFO] |     +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] |     +- commons-codec:commons-codec:jar:1.4:compile
[INFO] |     +- commons-io:commons-io:jar:2.4:compile
[INFO] |     +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |     +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] |     +- org.mortbay.jetty:jetty:jar:6.1.26:compile
[INFO] |     +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile
[INFO] |     +- com.sun.jersey:jersey-core:jar:1.9:compile
[INFO] |     +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] |     |  +- org.codehaus.jettison:jettison:jar:1.1:compile
[INFO] |     |  +- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile
[INFO] |     |  |  \- javax.xml.bind:jaxb-api:jar:2.2.2:compile
[INFO] |     |  |     +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |     |  |     \- javax.activation:activation:jar:1.1:compile
[INFO] |     |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] |     |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] |     +- com.sun.jersey:jersey-server:jar:1.9:compile
[INFO] |     |  \- asm:asm:jar:3.1:compile
[INFO] |     +- tomcat:jasper-compiler:jar:5.5.23:runtime
[INFO] |     +- tomcat:jasper-runtime:jar:5.5.23:runtime
[INFO] |     +- javax.servlet.jsp:jsp-api:jar:2.1:runtime
[INFO] |     +- commons-el:commons-el:jar:1.0:runtime
[INFO] |     +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] |     +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |     +- commons-configuration:commons-configuration:jar:1.6:compile
[INFO] |     |  +- commons-digester:commons-digester:jar:1.8:compile
[INFO] |     |  |  \- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |     |  \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile
[INFO] |     +- org.apache.avro:avro:jar:1.7.4:compile
[INFO] |     |  \- com.thoughtworks.paranamer:paranamer:jar:2.3:compile
[INFO] |     +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] |     +- org.apache.hadoop:hadoop-auth:jar:2.4.0:compile
[INFO] |     |  \- org.apache.httpcomponents:httpclient:jar:4.2.5:compile
[INFO] |     |     \- org.apache.httpcomponents:httpcore:jar:4.2.4:compile
[INFO] |     +- com.jcraft:jsch:jar:0.1.42:compile
[INFO] |     +- org.apache.zookeeper:zookeeper:jar:3.4.5:compile
[INFO] |     \- org.apache.commons:commons-compress:jar:1.4.1:compile
[INFO] |        \- org.tukaani:xz:jar:1.0:compile
[INFO] +- org.apache.spark:spark-core_2.11:jar:2.0.0:provided
[INFO] |  +- org.apache.avro:avro-mapred:jar:hadoop2:1.7.7:provided
[INFO] |  |  +- org.apache.avro:avro-ipc:jar:1.7.7:provided
[INFO] |  +- com.twitter:chill_2.11:jar:0.8.0:provided
[INFO] |  |  \- com.esotericsoftware:kryo-shaded:jar:3.0.3:provided
[INFO] |  |     +- com.esotericsoftware:minlog:jar:1.3.0:provided
[INFO] |  |     \- org.objenesis:objenesis:jar:2.1:provided
[INFO] |  +- com.twitter:chill-java:jar:0.8.0:provided
[INFO] |  +- org.apache.xbean:xbean-asm5-shaded:jar:4.4:provided
[INFO] |  +- org.apache.hadoop:hadoop-client:jar:2.2.0:provided
[INFO] |  |  +- org.apache.hadoop:hadoop-hdfs:jar:2.2.0:provided
[INFO] |  |  +- org.apache.hadoop:hadoop-mapreduce-client-app:jar:2.2.0:provided
[INFO] |  |  |  +- org.apache.hadoop:hadoop-mapreduce-client-common:jar:2.2.0:provided
[INFO] |  |  |  |  +- org.apache.hadoop:hadoop-yarn-client:jar:2.2.0:provided
[INFO] |  |  |  |  |  \- com.google.inject:guice:jar:3.0:provided
[INFO] |  |  |  |  |     +- javax.inject:javax.inject:jar:1:provided
[INFO] |  |  |  |  |     \- aopalliance:aopalliance:jar:1.0:provided
[INFO] |  |  |  |  \- org.apache.hadoop:hadoop-yarn-server-common:jar:2.2.0:provided
[INFO] |  |  |  \- org.apache.hadoop:hadoop-mapreduce-client-shuffle:jar:2.2.0:provided
[INFO] |  |  +- org.apache.hadoop:hadoop-yarn-api:jar:2.2.0:provided
[INFO] |  |  +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.2.0:provided
[INFO] |  |  |  \- org.apache.hadoop:hadoop-yarn-common:jar:2.2.0:provided
[INFO] |  |  \- org.apache.hadoop:hadoop-mapreduce-client-jobclient:jar:2.2.0:provided
[INFO] |  +- org.apache.spark:spark-launcher_2.11:jar:2.0.0:provided
[INFO] |  +- org.apache.spark:spark-network-common_2.11:jar:2.0.0:provided
[INFO] |  +- org.apache.spark:spark-network-shuffle_2.11:jar:2.0.0:provided
[INFO] |  |  +- org.fusesource.leveldbjni:leveldbjni-all:jar:1.8:provided
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.5:provided
[INFO] |  +- org.apache.spark:spark-unsafe_2.11:jar:2.0.0:provided
[INFO] |  +- net.java.dev.jets3t:jets3t:jar:0.7.1:compile
[INFO] |  +- org.apache.curator:curator-recipes:jar:2.4.0:provided
[INFO] |  |  \- org.apache.curator:curator-framework:jar:2.4.0:provided
[INFO] |  |     \- org.apache.curator:curator-client:jar:2.4.0:provided
[INFO] |  +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.3.2:compile
[INFO] |  +- org.apache.commons:commons-math3:jar:3.4.1:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.16:compile
[INFO] |  +- org.slf4j:jul-to-slf4j:jar:1.7.16:provided
[INFO] |  +- org.slf4j:jcl-over-slf4j:jar:1.7.16:provided
[INFO] |  +- org.slf4j:slf4j-log4j12:jar:1.7.16:compile
[INFO] |  +- com.ning:compress-lzf:jar:1.0.3:provided
[INFO] |  +- org.xerial.snappy:snappy-java:jar:1.1.2.4:compile
[INFO] |  +- net.jpountz.lz4:lz4:jar:1.3.0:provided
[INFO] |  +- org.roaringbitmap:RoaringBitmap:jar:0.5.11:provided
[INFO] |  +- commons-net:commons-net:jar:2.2:compile
[INFO] |  +- org.scala-lang:scala-library:jar:2.11.8:compile
[INFO] |  +- org.json4s:json4s-jackson_2.11:jar:3.2.11:provided
[INFO] |  |  \- org.json4s:json4s-core_2.11:jar:3.2.11:provided
[INFO] |  |     +- org.json4s:json4s-ast_2.11:jar:3.2.11:provided
[INFO] |  |     \- org.scala-lang:scalap:jar:2.11.0:provided
[INFO] |  |        \- org.scala-lang:scala-compiler:jar:2.11.0:provided
[INFO] |  |           \- org.scala-lang.modules:scala-parser-combinators_2.11:jar:1.0.1:provided
[INFO] |  +- org.glassfish.jersey.core:jersey-client:jar:2.22.2:provided
[INFO] |  |  +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:provided
[INFO] |  |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b34:provided
[INFO] |  |  |  +- org.glassfish.hk2:hk2-utils:jar:2.4.0-b34:provided
[INFO] |  |  |  \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b34:provided
[INFO] |  |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b34:provided
[INFO] |  |  \- org.glassfish.hk2:hk2-locator:jar:2.4.0-b34:provided
[INFO] |  |     \- org.javassist:javassist:jar:3.18.1-GA:provided
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.22.2:provided
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.2:provided
[INFO] |  |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.2:provided
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:provided
[INFO] |  +- org.glassfish.jersey.core:jersey-server:jar:2.22.2:provided
[INFO] |  |  +- org.glassfish.jersey.media:jersey-media-jaxb:jar:2.22.2:provided
[INFO] |  |  \- javax.validation:validation-api:jar:1.1.0.Final:provided
[INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet:jar:2.22.2:provided
[INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.22.2:provided
[INFO] |  +- org.apache.mesos:mesos:jar:shaded-protobuf:0.21.1:provided
[INFO] |  +- io.netty:netty-all:jar:4.0.29.Final:provided
[INFO] |  +- io.netty:netty:jar:3.8.0.Final:provided
[INFO] |  +- com.clearspring.analytics:stream:jar:2.7.0:provided
[INFO] |  +- io.dropwizard.metrics:metrics-core:jar:3.1.2:provided
[INFO] |  +- io.dropwizard.metrics:metrics-jvm:jar:3.1.2:provided
[INFO] |  +- io.dropwizard.metrics:metrics-json:jar:3.1.2:provided
[INFO] |  +- io.dropwizard.metrics:metrics-graphite:jar:3.1.2:provided
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.5:provided
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.6.5:provided
[INFO] |  +- com.fasterxml.jackson.module:jackson-module-scala_2.11:jar:2.6.5:provided
[INFO] |  |  +- org.scala-lang:scala-reflect:jar:2.11.7:provided
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-paranamer:jar:2.6.5:provided
[INFO] |  +- org.apache.ivy:ivy:jar:2.4.0:provided
[INFO] |  +- oro:oro:jar:2.0.8:provided
[INFO] |  +- net.razorvine:pyrolite:jar:4.9:provided
[INFO] |  +- net.sf.py4j:py4j:jar:0.10.1:provided
[INFO] |  +- org.apache.spark:spark-tags_2.11:jar:2.0.0:provided
[INFO] |  |     \- org.scala-lang.modules:scala-xml_2.11:jar:1.0.2:provided
[INFO] |  \- org.spark-project.spark:unused:jar:1.0.0:provided
[INFO] +- org.apache.spark:spark-mllib_2.11:jar:2.0.0:provided
[INFO] |  +- org.apache.spark:spark-streaming_2.11:jar:2.0.0:provided
[INFO] |  +- org.apache.spark:spark-sql_2.11:jar:2.0.0:provided
[INFO] |  |  +- com.univocity:univocity-parsers:jar:2.1.1:provided
[INFO] |  |  +- org.apache.spark:spark-sketch_2.11:jar:2.0.0:provided
[INFO] |  |  +- org.apache.spark:spark-catalyst_2.11:jar:2.0.0:provided
[INFO] |  |  |  +- org.codehaus.janino:janino:jar:2.7.8:provided
[INFO] |  |  |  |  \- org.codehaus.janino:commons-compiler:jar:2.7.8:provided
[INFO] |  |  |  \- org.antlr:antlr4-runtime:jar:4.5.3:provided
[INFO] |  |  +- org.apache.parquet:parquet-column:jar:1.7.0:provided
[INFO] |  |  |  +- org.apache.parquet:parquet-common:jar:1.7.0:provided
[INFO] |  |  |  \- org.apache.parquet:parquet-encoding:jar:1.7.0:provided
[INFO] |  |  |     \- org.apache.parquet:parquet-generator:jar:1.7.0:provided
[INFO] |  |  \- org.apache.parquet:parquet-hadoop:jar:1.7.0:provided
[INFO] |  |     +- org.apache.parquet:parquet-format:jar:2.3.0-incubating:provided
[INFO] |  |     \- org.apache.parquet:parquet-jackson:jar:1.7.0:provided
[INFO] |  +- org.apache.spark:spark-graphx_2.11:jar:2.0.0:provided
[INFO] |  |  +- com.github.fommil.netlib:core:jar:1.1.2:provided
[INFO] |  |  \- net.sourceforge.f2j:arpack_combined_all:jar:0.1:provided
[INFO] |  +- org.apache.spark:spark-mllib-local_2.11:jar:2.0.0:provided
[INFO] |  +- org.scalanlp:breeze_2.11:jar:0.11.2:provided
[INFO] |  |  +- org.scalanlp:breeze-macros_2.11:jar:0.11.2:provided
[INFO] |  |  +- net.sf.opencsv:opencsv:jar:2.3:provided
[INFO] |  |  +- com.github.rwl:jtransforms:jar:2.4.0:provided
[INFO] |  |  \- org.spire-math:spire_2.11:jar:0.7.4:provided
[INFO] |  |     \- org.spire-math:spire-macros_2.11:jar:0.7.4:provided
[INFO] |  \- org.jpmml:pmml-model:jar:1.2.15:provided
[INFO] |     \- org.jpmml:pmml-schema:jar:1.2.15:provided
[INFO] +- com.github.scopt:scopt_2.10:jar:3.2.0:compile
[INFO] +- org.apache.mahout:mahout-core:jar:0.9:compile
[INFO] |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.12:compile
[INFO] |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.12:compile
[INFO] |  +- com.thoughtworks.xstream:xstream:jar:1.4.4:compile
[INFO] |  |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] |  +- org.apache.lucene:lucene-core:jar:4.6.1:compile
[INFO] |  +- org.apache.lucene:lucene-analyzers-common:jar:4.6.1:compile
[INFO] |  +- org.apache.mahout.commons:commons-cli:jar:2.0-mahout:compile
[INFO] |  \- org.apache.solr:solr-commons-csv:jar:3.5.0:compile
[INFO] +- org.apache.mahout:mahout-math:jar:0.9:compile
[INFO] |  \- com.google.guava:guava:jar:16.0:compile
[INFO] \- log4j:log4j:jar:1.2.17:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@carsonwang Could please help me check this issue? May I pull a request to fix it? Thanks again.