search

StarRocks / starrocks

The world's fastest open query engine for sub-second analytics both on and off the data lakehouse. With the flexibility to support nearly any scenario, StarRocks provides best-in-class performance for multi-dimensional analytics, real-time analytics, and ad-hoc queries. A Linux Foundation project.
https://starrocks.io
Apache License 2.0
9.21k stars 1.83k forks source link

Fix com.fasterxml.jackson critical vulnarabilities #51682

Open OliveBZH opened 1 month ago

OliveBZH commented 1 month ago

In version 3.3.2, more than 40 vulnerabilities are found container scanning tool, they almost all concern jackson-databind library. Here is the list of corresponding CVE:

CVE-2020-9547 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2017-15095 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-16335 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2018-14719 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-16943 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-17267 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-14379 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2017-7657 in   starrocks-be:org.eclipse.jetty:jetty-server
CVE-2019-14379 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-17267 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2019-16942 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-17531 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2018-11307 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2017-15095 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2018-7489 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2020-9548 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2020-8840 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2018-11307 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2018-19362 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-17531 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2017-7525 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2019-16943 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2020-8840 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2018-14719 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2019-20330 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-20330 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2020-9547 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-14540 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-14540 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2017-17485 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2018-19362 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2015-1832 in   starrocks-be:org.apache.derby:derby
CVE-2019-16942 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2019-10202 in   starrocks-fe:org.codehaus.jackson:jackson-mapper-asl
CVE-2017-17485 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2018-14718 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2017-7525 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2017-7658 in   starrocks-be:org.eclipse.jetty:jetty-server
CVE-2020-9548 in   starrocks-be:com.fasterxml.jackson.core:jackson-databind
CVE-2019-16335 in   starrocks-fe:com.fasterxml.jackson.core:jackson-databind
CVE-2019-10202 in   starrocks-be:org.codehaus.jackson:jackson-mapper-asl

Steps to reproduce the behavior (Required)

Execute a container scan with (for instance) trivy

Expected behavior (Required)

No critical VUL

Real behavior (Required)

See above list

StarRocks version (Required)

Smith-Cruise commented 1 month ago

Can you scan 3.3.4? We fixed some cve. And can you paste the vulnerable jar's path here?

OliveBZH commented 1 month ago

Hello, yes indeed in 3.3.4 the list is shorter, I don't have the path but I can share this table:

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.8.11, 2.9.4, 2.6.7.3, 2.7.9.2 | CVE-2017-15095 -- | -- | -- | -- | -- | -- Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.4, 2.8.11, 2.7.9.2 | CVE-2017-17485 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.6.7.1, 2.7.9.1, 2.8.9 | CVE-2017-7525 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.7.9.4, 2.8.11.2, 2.9.6 | CVE-2018-11307 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.7, 2.8.11.3, 2.7.9.5 | CVE-2018-14719 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.8, 2.8.11.3, 2.7.9.5, 2.6.7.3 | CVE-2018-19362 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.9.2, 2.8.11.4, 2.7.9.6 | CVE-2019-14379 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10, 2.8.11.5, 2.6.7.3 | CVE-2019-14540 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10, 2.8.11.5, 2.6.7.3 | CVE-2019-16335 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.1, 2.8.11.5, 2.6.7.3 | CVE-2019-16942 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.1, 2.8.11.5, 2.6.7.3 | CVE-2019-16943 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10, 2.8.11.5 | CVE-2019-17267 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.1, 2.8.11.5, 2.6.7.3 | CVE-2019-17531 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.2 | CVE-2019-20330 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 | CVE-2020-8840 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.4, 2.8.11.6, 2.7.9.7 | CVE-2020-9547 Critical | starrocks/fe-ubuntu:3.3.4 | com.fasterxml.jackson.core:jackson-databind | 2.4.0 | Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.4, 2.8.11.6, 2.7.9.7 | CVE-2020-9548

Smith-Cruise commented 1 month ago

jackson-databind is required by apache ranger, we can't remove it. You can checkout our ignore list: https://github.com/StarRocks/starrocks/blob/main/trivy.yaml#L8

OliveBZH commented 1 month ago

Thanks for your answer, any possibility to upgrade jackson-databind to 2.7 or higher ? seems to solve the issue. For the ignore list, does it mean that the vul is a false positive or still legit but just ignore... ?

BR

Smith-Cruise commented 1 month ago

jackson-databind 2.4.0 was introduced by hbase-protocol-shaded-2.4.13.jar/htrace-core4-4.2.0-incubating.jar

The apache hudi required the above two jars. And we can't bump it, because it is packaged in the jar(hbase-protocol-shaded-2.4.13.jar/htrace-core4-4.2.0-incubating.jar) by shade.

Smith-Cruise commented 1 month ago

The apache ranger did not require it, it's my mistake.

OliveBZH commented 1 month ago

Thank you @Smith-Cruise, as you don't use either hudi/hbase... we can consider these VUL not applicable for us or try to remove these .jar when building the image on our side.

Smith-Cruise commented 1 month ago

Thank you @Smith-Cruise, as you don't use either hudi/hbase... we can consider these VUL not applicable for us or try to remove these .jar when building the image on our side.

If you don't use hudi, just remove it, FE can work normally.

OliveBZH commented 1 month ago

Is there any "proper" way to remove it (at compile stage or other). So far we remove the jar when rebuilding the image

Smith-Cruise commented 1 month ago

Is there any "proper" way to remove it (at compile stage or other). So far we remove the jar when rebuilding the image

exclude it in pom.xml?