Vulnerabilities in Snakeyaml used by Jet 4.3

hazelcast / hazelcast-jet

Distributed Stream and Batch Processing

https://jet-start.sh

Other

1.1k stars 204 forks source link

Vulnerabilities in Snakeyaml used by Jet 4.3 #2914

Open olukas opened 3 years ago

olukas commented 3 years ago

Jet uses Snakeyaml 1.15, 1.16 and 1.17 which includes following vulnerabilities:

CVE-2017-18640 - https://nvd.nist.gov/vuln/detail/CVE-2017-18640 (fixed in 1.26)

gurbuzali commented 3 years ago

closed via https://github.com/hazelcast/hazelcast-jet/pull/2949

olukas commented 3 years ago

Reopening. According to the report it seems org.yaml:snakeyaml:1.16 is also shaded in jmx_prometheus_javaagent-0.13.0.jar which is part of our distribution.

gurbuzali commented 3 years ago

the latest version of jmx_prometheus_javaagent (0.15.0) shades org.yaml:snakeyaml:1.23 which still has this vulnerability. We can update this dependency once it will be fixed on prometheus side. (see https://github.com/prometheus/jmx_exporter/pull/585)

gurbuzali commented 3 years ago

the issue on prometheus side is closed with this comment. ...The CVE is not a concern for this exporter, as the YAML is from a trusted source. I think we can close this issue on our side too.