ccaominh
commented
5 years ago @divaybansal What tool did you use to do the vulnerability analysis? I'm thinking of periodically scanning druid for vulnerabilities so they can be proactively fixed, but I haven't compared the various available tools yet.
clintropolis
We did a vulnerability analysis on the latest version of Druid and found the below critical vulnerability in the dependent libraries bundled with Druid. Could you please update the version of these dependencies to the latest stable version?
CVE-2018-14719 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2017-7658 org.eclipse.jetty_jetty-io 9.4.10.v20180503 critical fixed in 9.4.11, 9.3.24
CVE-2017-7657 org.eclipse.jetty_jetty-io 9.4.10.v20180503 critical fixed in 9.4.11, 9.3.24
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.2.3 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.2.3 critical fixed in 2.9.7
CVE-2017-5645 org.apache.logging.log4j_log4j-api 2.4 critical fixed in 2.8.2
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2017-5929 ch.qos.logback_logback-core 1.1.2 critical fixed in 1.2.0
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.4.0 critical
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.2.3 critical
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.7
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.6.7 critical
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2017-5645 org.apache.logging.log4j_log4j-api 2.5 critical fixed in 2.8.2
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.4.6 critical fixed in 2.9.7
CVE-2018-19362 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.4.6 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2018-19361 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8
CVE-2018-19360 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8
CVE-2017-7657 org.eclipse.jetty_jetty-io 9.2.5.v20141112 critical fixed in 9.4.11, 9.3.24
CVE-2017-7658 org.eclipse.jetty_jetty-io 9.2.5.v20141112 critical fixed in 9.4.11, 9.3.24
CVE-2018-14721 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.4.6 critical
CVE-2018-14720 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2017-7525 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.8.9, 2.7.9.1, 2.6.7.1
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.4.6 high fixed in 2.8.4, 2.7.8
CVE-2017-9735 org.eclipse.jetty_jetty-io 9.2.5.v20141112 high
CVE-2017-7656 org.eclipse.jetty_jetty-io 9.2.5.v20141112 high fixed in 9.4.11, 9.3.24
CVE-2015-2080 org.eclipse.jetty_jetty-http 9.2.5.v20141112 high fixed in 9.2.9,9.2
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.4.6 high
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.6.7 high
CVE-2016-5017 org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.5.3, 3.4.9
CVE-2017-5637 org.apache.zookeeper_zookeeper 3.4.6 high
CVE-2018-8012 org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.4.10
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.4.0 high
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.6.7 high fixed in 2.8.4, 2.7.8
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.4.0 high fixed in 2.8.4, 2.7.8
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.2.3 high fixed in 2.8.4, 2.7.8
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.2.3 high
CVE-2017-7656 org.eclipse.jetty_jetty-io 9.4.10.v20180503 high fixed in 9.4.11, 9.3.24
CVE-2018-12545 org.eclipse.jetty_jetty-io 9.4.10.v20180503 high