search

snowflakedb / snowflake-ingest-java

Java SDK for the Snowflake Ingest Service -
http://www.snowflake.net
Apache License 2.0
71 stars 57 forks source link

Snyk: snowflake-ingest-java net.snowflake:snowflake-jdbc 3.18.0 | Snyk ID - SNYK-JAVA-NETSNOWFLAKE-8310506 #890

Closed github-actions[bot] closed 1 week ago

github-actions[bot] commented 2 weeks ago

Title: Snyk: snowflake-ingest-java net.snowflake:snowflake-jdbc 3.18.0 Additional information on Snyk can be found here: https://snyk.io/org/snowflakedb-sca-scanning-public-repo/project/34b0453e-1d9a-450b-9957-893ab6eaede1 Repo: snowflake-ingest-java CVE: CVE-2024-43382 Package Type: java Package Name: net.snowflake:snowflake-jdbc Package Version: 3.18.0 Snyk ID: SNYK-JAVA-NETSNOWFLAKE-8310506 Vulnerability URL: http://security.snyk.io/vuln/SNYK-JAVA-NETSNOWFLAKE-8310506 Severity: high Introduced Date: 2024-10-31 Projects with Vulnerability: snowflakedb/snowflake-ingest-java:e2e-jar-test/standard/pom.xml Target File: e2e-jar-test/standard/pom.xml JIRA Ticket: https://snowflakecomputing.atlassian.net/browse/SNOW-1788014

tlopesPT commented 2 weeks ago

Hey @sfc-gh-lsembera, I'm looking to address this CVE as soon as possible, just saw your commit on master, do you have a date for the next release of this SDK? Thanks.

sfc-gh-lsembera commented 2 weeks ago

Hi @tlopesPT, we are planning to release this the next week.

sfc-gh-xhuang commented 2 weeks ago

fixed in https://github.com/snowflakedb/snowflake-ingest-java/pull/887

tlopesPT commented 2 weeks ago

Hi @sfc-gh-xhuang, has anyone determined whether this impacts customers using Snowpipe Streaming? My understanding is that internal stages are used for data loading, so I found the following relevant information:

If the stage is an internal (i.e. Snowflake) stage (Image B) data files are automatically encrypted by the Snowflake client on the user’s local machine prior to being transmitted to the internal stage, in addition to being encrypted after they are loaded into the stage. Source: https://docs.snowflake.com/en/user-guide/security-encryption-end-to-end

Snowpipe Streaming only supports using 256-bit AES keys for data encryption. Source https://docs.snowflake.com/en/user-guide/data-load-snowpipe-streaming-overview#limitations

From reading that, I'd say Snowpipe Streaming is also affected by the CVE for Azure and GCP, however, having done a bit of debugging, I have found that this.getEncryptionKeySize() returns 0, because private void setupGCSClient(StageInfo stage, RemoteStoreFileEncryptionMaterial encMat, SFSession session) encMat is null, so the condition with the bug is skipped anyway.

Did I miss anything?

sfc-gh-xhuang commented 1 week ago

The jdbc issue was only for jdbc uploads but Snowpipe Streaming uses a different upload mechanism to internal stages. Snowpipe Streaming only uses jdbc for the initial authentication.

Snowpipe Streaming is not affected by this CVE