search

apache / linkis

Apache Linkis builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.
https://linkis.apache.org/
Apache License 2.0
3.3k stars 1.17k forks source link

linkis to prevent security risks, upgrade some jar packages #3942

Closed binbinCheng closed 1 year ago

binbinCheng commented 1 year ago

Upgrade the jar package

  1. protobuf-java: It is recommended to upgrade to any version, 3.16.3, 3.19.6, 3.20.3, 3.21.7 or above. The current version has medium-risk vulnerabilities, such as CVE-2022-3171, and denial of service attack risk
  2. jackson-mapper-asl: replace it with jackson-databind, please use jackson-databind 2.12.7.1, 2.13.4.1 or above. The current version has the CVE-2019-10172 vulnerability, which can be exploited by remote attackers to obtain sensitive information with specially crafted data.
  3. jackson-databind: upgrade to version 2.12.7.1, 2.13.4.1 or above, the current affected version has multiple serious high-risk vulnerabilities (CVE-2022-42003, CVE-2022-42004, CVE-2020-24616, CVE-2020 -9548, CVE-2020-9547, etc.), attackers can conduct remote code execution and denial of service attacks on the affected Jackson server through carefully crafted request packets.

升级jar包

  1. protobuf-java: 建议升级至任一版本,3.16.3、3.19.6、3.20.3、3.21.7或以上版本,当前版本存在中危漏洞,存在漏洞CVE-2022-3171,存在拒绝服务攻击风险
  2. jackson-mapper-asl: 替换为jackson-databind,请使用jackson-databind 2.12.7.1、2.13.4.1或以上版本。当前使用版本存在CVE-2019-10172漏洞,远程攻击者可借助特制数据利用该漏洞获取敏感信息。
  3. jackson-databind: 升级至2.12.7.1、2.13.4.1或以上版本,当前影响版本存在多个严重高危漏洞(CVE-2022-42003、CVE-2022-42004、CVE-2020-24616、CVE-2020-9548、CVE-2020-9547等),攻击者可以通过精心构造的请求包在受影响的 Jackson 服务器上进行远程代码执行、拒绝服务攻击等。
github-actions[bot] commented 1 year ago

:blush: Welcome to the Apache Linkis (incubating) community!!

We are glad that you are contributing by opening this issue.

Please make sure to include all the relevant context. We will be here shortly.

If you are interested in contributing to our website project, please let us know! You can check out our contributing guide on :point_right: How to Participate in Project Contribution.

Community

WeChat Assistant WeChat Public Account

Mailing Lists

name description Subscribe Unsubscribe archive
dev@linkis.apache.org community activity information subscribe unsubscribe archive
Lavivinia commented 1 year ago

How to recover account risk