Security Vulnerabilities - Black Duck Scan - JanusGraph 0.4.0

[engrdean]

Black Duck, a product by Synopsys that scans for open source security threats, uncovered a few issues with the dependencies for JanusGraph. Just posting the results here to make the community aware for future releases, I know this stuff is like a moving target.

Apache HttpComponents Client CVE-2012-5783 CVE-2012-6153 CVE-2014-3577 CVE-2015-5262

Apache Thrift CVE-2015-3254 CVE-2016-5397 CVE-2018-11798 CVE-2018-1320

Apache Xerces2J CVE-2009-2625 CVE-2012-0881

Apache ZooKeeper CVE-2016-5017 CVE-2017-5637 CVE-2018-8012 CVE-2019-0201

Bootstrap (Twitter) CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-8331

DataTables CVE-2015-6584

dom4j: flexible XML framework for Java CVE-2018-1000632

Guava: Google Core Libraries for Java CVE-2018-10237

Hibernate Validator CVE-2014-3558

jackson-databind CVE-2017-7525 CVE-2018-1000873 CVE-2018-11307 CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-5968 CVE-2018-7489

jbcrypt CVE-2015-0886

Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server CVE-2011-4461 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735 CVE-2011-4461 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735 CVE-2011-4461 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735

jQuery CVE-2015-9251 CVE-2019-11358 CVE-2015-9251 CVE-2019-11358

Scala CVE-2017-15288 CVE-2017-15288 #

[pluradj]

Providing some discussion on the items listed above.

---

Apache HttpComponents Client

• Version 3.x is included via org.apache.hadoop:hadoop-hdfs:jar:2.7.7:compile
  • As discussed in #1729 the Hadoop version is aligned with what TinkerPop supports, and would need to be addressed in TinkerPop first
• Version 4.x is included via several packages
  • Remediation is to upgrade to at least HttpClient 4.3.6
  • JanusGraph master branch is beyond that version

Apache Thrift

• Included via org.apache.cassandra:cassandra-all:jar:2.2.13:compile
• Remediation is to upgrade to at least Thrift 0.12.0
• Thrift is the legacy (deprecated) protocol for Cassandra. Applications should disable Thrift on their Cassandra cluster, and use the CQL driver to avoid Thrift completely.

Apache Xerces2J

• Included via org.apache.hadoop:hadoop-hdfs:jar:2.7.7:compile
• As discussed in #1729 the Hadoop version is aligned with what TinkerPop supports, and would need to be addressed in TinkerPop first

Apache ZooKeeper

• Included via org.apache.spark:spark-core_2.11:jar:2.4.0:compile, org.apache.hbase:hbase-server:jar:2.1.5:compile, org.apache.hadoop:hadoop-common:jar:2.7.7:compile, org.apache.solr:solr-solrj:jar:7.0.0:compile
• Remediation is to upgrade to at least ZooKeeper 3.5.5

Bootstrap (Twitter)

• Included via org.apache.spark:spark-core_2.11:jar:2.4.0:compile
• JanusGraph does not provide a front end console that exposes Bootstrap

DataTables (plugin for jQuery)

• Included via org.apache.spark:spark-core_2.11:jar:2.4.0:compile
• JanusGraph does not provide a front end console that exposes DataTables

dom4j

• Included via org.reflections:reflections:jar:0.9.9-RC1:compile
• Remediation is to upgrade to at least dom4j 2.1.1
• Update to Reflections 0.9.12 will pull in dom4j 2.1.1 -- issue #1342, PR #2023

Guava

• Included via org.apache.tinkerpop:hadoop-gremlin:jar:3.4.6:compile, org.apache.cassandra:cassandra-all:jar:2.2.13:compile, com.datastax.cassandra:cassandra-driver-core:jar:3.8.0:compile, org.apache.hadoop:hadoop-common:jar:2.7.7:compile, org.apache.hadoop:hadoop-hdfs:jar:2.7.7:compile, org.apache.solr:solr-test-framework:jar:7.7.2:test, io.airlift:airline:jar:0.9:compile
• Remediation is to upgrade to at least Guava 24.1.1
• Always a tricky one to replace because of the cross-dependencies

Hibernate Validator

• Included via com.addthis.metrics:reporter-config3:jar:3.0.0:compile via org.apache.cassandra:cassandra-all:jar:2.2.13:compile
• Remediation is to upgrade to at least Hibernate Validator 4.3.2
• This appears to be an optional configuration when running a Cassandra node, so the Hibernate Validator dependency should probably be just excluded from JanusGraph

Jackson Databind

• Included via org.apache.tinkerpop:spark-gremlin:jar:3.4.6:compile, org.apache.hbase:hbase-server:jar:2.1.5:compile, com.datastax.cassandra:cassandra-driver-core:jar:3.8.0:compile, and software.amazon.awssdk:core:jar:2.0.0-preview-1:compile
• Remediation is to upgrade to at least Jackson Databind 2.9.8
• Already addressed with #1307

jbcrypt

• CVE reported against versions prior to 0.4
• JanusGraph already packages jbcrypt 0.4 via org.apache.tinkerpop:gremlin-groovy:jar:3.4.6:compile

Jetty

• All the CVEs are reported against jetty-server
• JanusGraph has a compile dependency on org.eclipse.jetty:jetty-server:jar:9.3.25.v20180904:compile via org.apache.hbase:hbase-server:jar:2.1.5:compile
• JanusGraph has a test dependency on org.eclipse.jetty:jetty-server:jar:9.3.14.v20161028:test via org.apache.solr:solr-test-framework:jar:7.0.0:test
• JanusGraph does not distribute jetty-server.jar

jQuery

• Included via org.apache.hadoop:hadoop-common:jar:2.7.7:compile and org.apache.spark:spark-core_2.11:jar:2.4.0:compile
• JanusGraph does not provide a front end console that exposes jQuery

Scala

• CVE is against org.scala-lang:scala-compiler
• No usage of scala-compiler in JanusGraph and no Scala source files in JanusGraph

[pluradj]

additional potential concerns were discussed on a janusgraph-users thread

---

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-17190

• Mitigation: Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level restrictions. Use spark.authenticate and related security properties described at https://spark.apache.org/docs/latest/security.html
• JanusGraph does not start a Spark cluster by default.

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

• This CVE is an umbrella CVE over several CVEs against FasterXML jackson-databind, but it is filed against JBoss specifically.
• JanusGraph does not package JBoss.
• jackson-databind has been upgraded to 2.10.3 for various CVEs via https://github.com/JanusGraph/janusgraph/pull/1941 and https://github.com/JanusGraph/janusgraph/pull/2006

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-9518

• Affected configurations listed are Apple Swift NIO and Apache Traffic Server.
• JanusGraph does not package these components.

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

• duplicate

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571

• Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
• The SocketServer is an optional component, and JanusGraph does not start it by default.

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

• duplicate

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-16869

• Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
• Netty was updated to 4.1.45.Final last week via https://github.com/JanusGraph/janusgraph/pull/2003

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

• duplicate

https://github.com/apache/hadoop/commit/5d1889a66d91608d34ca9411fb6e9161e637e9d3

• not clear what CVE this is against

[farodin91]

We have tools inplace to update dependency. We are getting an automatic security checks by dependabot and GitHub.