search

risingwavelabs / risingwave

Best-in-class stream processing, analytics, and management. Perform continuous analytics, or build event-driven applications, real-time ETL pipelines, and feature stores in minutes. Unified streaming and batch. PostgreSQL compatible.
https://www.risingwave.com/slack
Apache License 2.0
6.75k stars 557 forks source link

Address Java Vulnerabilities in Docker Image as of 24 April on latest image #16708

Open pjpringle opened 3 months ago

pjpringle commented 3 months ago

Docker image has a lot of java libraries which fail enterprise vulnerability scans.

package version fix_version id severity
log4j:log4j 1.2.17 CVE-2019-17571 Critical
log4j:log4j 1.2.17 CVE-2022-23305 Critical
org.yaml:snakeyaml 1.33 CVE-2022-1471 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.4, 2.8.11 CVE-2017-15095 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11, 2.9.4 CVE-2017-17485 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.7.9.1, 2.6.7.1, 2.8.9 CVE-2017-7525 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.2, 2.7.9.4, 2.9.6 CVE-2018-11307 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.7.9.5, 2.8.11.3, 2.9.7 CVE-2018-14718 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.7.9.5, 2.8.11.3, 2.9.7 CVE-2018-14719 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.1, 2.9.5 CVE-2018-7489 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.9.2 CVE-2019-14379 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10 CVE-2019-14540 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10, 2.8.11.5, 2.6.7.3 CVE-2019-14892 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.5, 2.9.10 CVE-2019-14893 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10 CVE-2019-16335 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.1 CVE-2019-16942 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.1 CVE-2019-16943 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10 CVE-2019-17267 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.1 CVE-2019-17531 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.6.7.4, 2.7.9.7, 2.9.10.2, 2.8.11.5 CVE-2019-20330 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.6.7.4, 2.7.9.7, 2.9.10.3, 2.8.11.5 CVE-2020-8840 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-9547 Critical
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-9548 Critical
log4j:log4j 1.2.17 CVE-2022-23307 High
log4j:log4j 1.2.17 CVE-2021-4104 High
log4j:log4j 1.2.17 CVE-2022-23302 High
com.google.protobuf:protobuf-java 3.7.1 3.16.3, 3.19.6, 3.20.3, 3.21.7 CVE-2022-3171 High
com.google.protobuf:protobuf-java 3.7.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3509 High
com.google.protobuf:protobuf-java 3.7.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3510 High
net.minidev:json-smart 1.3.2 2.4.4, 1.3.3 CVE-2021-31684 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36179 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.8.11.2, 2.7.9.4, 2.9.6 CVE-2018-12022 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.4, 2.8.11 CVE-2018-5968 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.9 CVE-2019-12086 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.9.2 CVE-2019-14439 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-10650 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.4 CVE-2020-10673 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.6 CVE-2020-24616 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.6, 2.6.7.5 CVE-2020-24750 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.10.5.1, 2.9.10.7, 2.6.7.4 CVE-2020-25649 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-35490 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-35491 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36180 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36181 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36182 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36183 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36184 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36185 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36186 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36187 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36188 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.8 CVE-2020-36189 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.12.6.1, 2.13.2.1 CVE-2020-36518 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.9.10.7 CVE-2021-20190 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.13.4.1, 2.12.7.1 CVE-2022-42003 High
com.fasterxml.jackson.core:jackson-databind 2.4.0 2.13.4, 2.12.7.1 CVE-2022-42004 High
com.fasterxml.woodstox:woodstox-core 5.3.0 5.4.0, 6.4.0 CVE-2022-40151 High
com.fasterxml.woodstox:woodstox-core 5.3.0 5.4.0, 6.4.0 CVE-2022-40152 High
com.google.code.gson:gson 2.8.1 2.8.9 CVE-2022-25647 High
io.netty:netty-all 4.1.12.Final 4.1.42.Final CVE-2019-16869 High
com.google.protobuf:protobuf-java 3.3.1 3.16.3, 3.19.6, 3.20.3, 3.21.7 CVE-2022-3171 High
com.google.protobuf:protobuf-java 3.3.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3509 High
com.google.protobuf:protobuf-java 3.3.1 3.21.7, 3.20.3, 3.19.6, 3.16.3 CVE-2022-3510 High
io.netty:netty-all 4.1.12.Final 4.1.86 CVE-2022-41881 High
org.apache.thrift:libthrift 0.9.3 0.14.0 CVE-2020-13949 High
org.apache.ant:ant 1.9.1 1.10.9 CVE-2020-11979 High
org.apache.hadoop:hadoop-yarn-server-common 3.1.0 3.3.2, 3.2.3, 2.10.2 CVE-2021-33036 High
org.apache.thrift:libthrift 0.9.3 0.12.0 CVE-2018-1320 High
org.apache.thrift:libthrift 0.9.3 0.13.0 CVE-2019-0205 High
org.apache.thrift:libthrift 0.9.3 0.13.0 CVE-2019-0210 High
org.codehaus.jettison:jettison 1.1 1.5.1 CVE-2022-40149 High
org.codehaus.jettison:jettison 1.1 1.5.2 CVE-2022-40150 High
org.codehaus.jettison:jettison 1.1 1.5.2 CVE-2022-45685 High
org.codehaus.jettison:jettison 1.1 1.5.2 CVE-2022-45693 High
org.apache.hadoop:hadoop-hdfs 2.2.0 2.7.0 CVE-2017-3162 High
org.apache.hadoop:hadoop-hdfs 2.2.0 2.10.1, 3.1.4, 3.2.2 CVE-2020-9492 High
org.codehaus.jackson:jackson-mapper-asl 1.9.2 CVE-2019-10172 High
neverchanje commented 3 months ago

@pjpringle Could you share which RisingWave version are you using?

pjpringle commented 3 months ago

1.8

neverchanje commented 3 months ago

Hi, @pjpringle

I believe that most of these reported vulnerabilities are not due to the direct dependency of RisingWave. For example, we were actually using <jackson.version>2.13.5</jackson.version> in 1.8 but the reported version is 2.4.0.

See https://github.com/risingwavelabs/risingwave/blob/v1.8.0/java/pom.xml

May I ask which tool are you using to detect these issues?

fuyufjh commented 1 month ago

Related https://github.com/risingwavelabs/risingwave/pull/17273