Closed rcprcp closed 10 months ago
danepitkin
commented
10 months ago Dependabot just upgraded the Guava lib to v32.1.3 https://github.com/apache/arrow/commit/307fbc5113985a52d2ad10d3ad2ca1a5b56ae0d5. One of the CVEs recommends upgrading to at least v32.0.1 so this might be fixed already. @rcprcp do you want to verify this resolves the issue?
rcprcp
commented
10 months ago Hi @danepitkin - thanks for picking up this issue so quickly.
Your help with this is greatly appreciated. 🥇
We realize now that there is one other important CVE that's included in flight-sql-jdbc-driver and we also need this one resolved as well: https://nvd.nist.gov/vuln/detail/CVE-2022-36364
This vulnerability is introduced by the reference to Avatica v 1.18.0. In Avatica version 1.22.0 and above, this issue is resolved.
In https://mvnrepository.com/artifact/org.apache.calcite.avatica/avatica-core
Is it possible to also upgrade the Avatica dependency in the flight-sql-jdbc-driver?
Thank you for your help.
danepitkin
commented
10 months ago Ah looks like Arrow is using v1.18:
JDBC Core https://github.com/apache/arrow/blob/6c326db6a5686a78bc77be662b61236ddbfc66dc/java/flight/flight-sql-jdbc-core/pom.xml#L131 JDBC Driver https://github.com/apache/arrow/blob/6c326db6a5686a78bc77be662b61236ddbfc66dc/java/flight/flight-sql-jdbc-driver/pom.xml#L117
Would you be willing to help contribute a fix for this?
rcprcp
commented
10 months ago Hi @danepitkin - sure.
If by "fix," we mean to change the pom files, run a few local tests, and submit a PR.
Please let me know if there is more to this than I am considering.
Thanks
danepitkin
commented
10 months ago Yes, that's it! Thank you @rcprcp, I truly appreciate it.
Can we update the title/description of this issue to match the PR?
rcprcp
commented
10 months ago @danepitkin thank you. Updated the issues's title.
rcprcp
commented
10 months ago Hi @lidavidm , is there an approximate date when Arrow Flight V15 will be released? Or, if there is going to be a 14.3.0 version released sooner, can we get this issue backported? If we go with 14.3.0, is there an approximate date for that? thanks!
lidavidm
commented
10 months ago Releases are roughly every 3 months. 14.3.0 is unlikely, 15.0.0 should be in January.
Describe the bug, including details regarding any error messages, version, and platform.
The Flight SQL JDBC driver link on mvnrepository
https://mvnrepository.com/artifact/org.apache.arrow/flight-sql-jdbc-driver/14.0.1
Links to these two CVE's:
Vulnerabilities from dependencies: CVE-2023-2976 CVE-2020-8908
These CVEs are blocking a customer's ability to use the driver in production, as the customer's Security Team objects to having these move to production.
Is it possible to upgrade the dependencies, test, and release a new version of the driver without these CVEs?
Component(s)
Java