search

apache / pinot

Apache Pinot - A realtime distributed OLAP datastore
https://pinot.apache.org/
Apache License 2.0
5.53k stars 1.3k forks source link

Security Concerns in the Pinot Docker Image and Java Depedencies #10311

Closed andscoop closed 1 week ago

andscoop commented 1 year ago

Pinot is falling behind on image and dependency security. In addition to #10274, I have two other high-level concerns that are going to affect security conscious organizations ability to run Apache Pinot on production infrastructure.

I'm curious to hear the team's thoughts on the issues below.

docker image concerns

pinot-base image is currently based on the openjdk image which is "officially deprecated" and for "non-production builds". Our security software is noting vulnerabilities that would likely be fixed from changing the base image.

Pinot users should be able to solve image layer issues easily themselves by either building or pulling artifacts directly into an image of their choice. This responsibility does not fall entirely on Apache Pinot, but if pinot-base continues to use openjdk, I do believe non-production should be specified where ever the image is mentioned.

Apache Pinot Java Dependencies

Apache Pinot java dependencies themselves are probably the greater cause for concern. When pulling artifacts from the 0.12.0 release into our image, our security scan is flagging the CVEs listed below.

Of course the responsibility does not fall entirely on the maintainers of the open source project. I have created #10304 to get a feel for contributing. I do have concerns that some of these deps upgrades are non-trivial and will likely require intimate knowledge of the project, or at least more java knowledge than I currently possess. 

15:47:14.189 I Image Vulnerabilities
15:47:14.189 I ID               Severity    Package Name                    Package Version
15:47:14.189 I CVE-2022-25168   critical    org.apache.hadoop_hadoop-hdfs   2.10.1
15:47:14.189 I CVE-2022-23305   critical    log4j_log4j                     1.2.17
15:47:14.189 I CVE-2021-37404   critical    org.apache.hadoop_hadoop-hdfs   2.10.1
15:47:14.189 I CVE-2020-9548    critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-9547    critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-9546    critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-9493    critical    log4j_log4j                     1.2.17
15:47:14.189 I CVE-2020-8840    critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2019-20330   critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2019-17571   critical    log4j_log4j                     1.2.17
15:47:14.189 I CVE-2019-17531   critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2019-16943   critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2019-16942   critical    com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2018-7489    critical    com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.189 I CVE-2019-20445   critical    io.netty_netty                  3.10.6
15:47:14.189 I CVE-2019-20444   critical    io.netty_netty                  3.10.6
15:47:14.189 I CVE-2022-26612   critical    org.apache.hadoop_hadoop-common 2.10.1
15:47:14.189 I CVE-2022-25168   critical    org.apache.hadoop_hadoop-common 2.10.1
15:47:14.189 I CVE-2021-37404   critical    org.apache.hadoop_hadoop-common 2.10.1
15:47:14.189 I CVE-2022-23307   high        log4j_log4j                     1.2.17
15:47:14.189 I CVE-2022-23302   high        log4j_log4j                     1.2.17
15:47:14.189 I CVE-2021-33036   high        org.apache.hadoop_hadoop-hdfs   2.10.1
15:47:14.189 I CVE-2021-25642   high        org.apache.hadoop_hadoop-hdfs   2.10.1
15:47:14.189 I CVE-2020-11113   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-11112   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-11111   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-10969   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-10968   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-10673   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-10672   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2021-20190   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36189   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36188   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36187   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36186   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36185   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36184   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.189 I CVE-2020-36183   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-36182   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-36181   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-36180   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-36179   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-35728   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-35491   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-35491   high        com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.190 I CVE-2020-35490   high        com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.190 I CVE-2020-35490   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-24750   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-24616   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-14195   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-14062   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-14061   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-14060   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-11620   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-11619   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-10650   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-10650   high        com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.190 I CVE-2022-42004   high        com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.190 I CVE-2022-42004   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2022-42004   high        com.fasterxml.jackson.core_jackson-databind 2.12.7
15:47:14.190 I CVE-2022-42003   high        com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.190 I CVE-2022-42003   high        com.fasterxml.jackson.core_jackson-databind 2.12.7
15:47:14.190 I CVE-2022-42003   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2022-41881   high        io.netty_netty-all              4.1.79
15:47:14.190 I CVE-2022-41881   high        io.netty_netty                  3.10.6
15:47:14.190 I CVE-2022-41881   high        io.netty_netty-codec            4.1.79
15:47:14.190 I CVE-2021-37137   high        io.netty_netty                  3.10.6
15:47:14.190 I CVE-2021-37136   high        io.netty_netty                  3.10.6
15:47:14.190 I CVE-2020-36518   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.190 I CVE-2020-36518   high        com.fasterxml.jackson.core_jackson-databind 2.4.0
15:47:14.190 I CVE-2020-25649   high        com.fasterxml.jackson.core_jackson-databind 2.9.10
15:47:14.191 I CVE-2019-16869   high        io.netty_netty                  3.10.6
15:47:14.191 I CVE-2021-22573   high        com.google.oauth-client_google-oauth-client 1.31.0
15:47:14.191 I CVE-2022-45693   high        org.codehaus.jettison_jettison  1.1
15:47:14.191 I CVE-2022-45685   high        org.codehaus.jettison_jettison  1.1
15:47:14.191 I CVE-2022-40150   high        org.codehaus.jettison_jettison  1.1
15:47:14.191 I CVE-2022-3510    high        com.google.protobuf_protobuf-java   3.19.2
15:47:14.191 I CVE-2022-3509    high        com.google.protobuf_protobuf-java   3.19.2
npandeyaof commented 1 year ago

Any traction on this?

mayankshriv commented 1 year ago

Thanks for refreshing this up @npandeyaof. IMHO, we should address it quickly (at least the transitive dependencies). Any interest in contributing?

mayankshriv commented 1 year ago

I did a quick scan and do see several of these had already been updated a while back @andscoop @npandeyaof, and we are in the process of upgrading to Java 17.

npandeyaof commented 1 year ago

Thanks for refreshing this up @npandeyaof. IMHO, we should address it quickly (at least the transitive dependencies). Any interest in contributing?

Hey @mayankshriv I would be interested. There are new cve's popping up regularly as well.

Jackie-Jiang commented 1 week ago

All the vulnerable dependencies are upgraded. Closing this ticket