search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.51k stars 3.03k forks source link

Vulnerabilities in Trino Docker images - 460, 461, 462, 463, 464 #24001

Closed venkata2395 closed 3 weeks ago

venkata2395 commented 3 weeks ago

Hi Trino Maintainers,

We have observed that recent Trino Docker images contain several security vulnerabilities, as highlighted by security scans from tools like Azure Defender/trivy etc. Given the critical nature of some of these vulnerabilities, they could pose risks in production-like environments.

462 Image CVEs reported below:

High | CVE-2023-3635 High | CVE-2023-3635 Critical | Oracle Critical Patch Update Advisory - January 2024 - Oracle CSAF High | CVE-2024-47561 High | CVE-2024-29131 High | CVE-2024-29133 High | CVE-2023-4586 Medium | CVE-2022-40149 Medium | CVE-2022-40150 High | CVE-2022-45685 Medium | CVE-2022-45693 Medium | CVE-2023-1436 Medium | CVE-2024-47554 Medium | CVE-2021-37533 Medium | CVE-2024-29025 Medium | CVE-2023-34462 High | CVE-2023-4586 High | CVE-2021-31684 High | CVE-2023-1370 Critical | CVE-2017-15095 | Unhealthy |   Critical | DSA-4114-1 jackson-databind Critical | CVE-2017-7525 Medium | CVE-2018-11307 Critical | CVE-2018-12022   Critical | CVE-2018-14718 Critical | CVE-2018-14719 Medium | CVE-2018-19362 Critical | CVE-2020-36181 Critical | CVE-2020-36182 Critical | CVE-2020-36183 Critical | CVE-2020-36184 Medium | CVE-2020-8840 Critical | CVE-2020-9547 Critical | CVE-2020-9548 Critical | CVE-2021-20190 Medium | CVE-2022-42003 Medium | CVE-2022-42004 Critical | CVE-2020-36179 Critical | CVE-2020-36185 High | DSA-4114-1 jackson-databind High | CVE-2018-7489 Medium | CVE-2019-12086 Critical | CVE-2019-12384 High | CVE-2019-12814 Critical | CVE-2019-14379 Medium | CVE-2019-14439 Medium | CVE-2019-14540 Critical | CVE-2019-14892 jackson-databind Medium | CVE-2019-16335 Critical | CVE-2019-16942 Critical | CVE-2019-16943 High | CVE-2019-17267 Critical | CVE-2019-17531 High | CVE-2019-20330 High | CVE-2020-10650 Critical | CVE-2020-10673 Critical | CVE-2020-24616 Critical | CVE-2020-24750 High | CVE-2020-35490 High | CVE-2020-35491 High | CVE-2020-35728 Critical | CVE-2020-36180 Critical | CVE-2020-36186 Critical | CVE-2020-36187 Critical | CVE-2020-36188 Critical | CVE-2020-36189 High | CVE-2020-36518 Medium | CVE-2022-40152 High | Oracle Critical Patch Update Advisory - April 2024 - Oracle CSAF High | CVE-2024-29131 High | CVE-2024-29133 Medium | CVE-2024-36124 Medium | CVE-2024-29025 Medium | CVE-2023-34453 High | CVE-2023-34454 High | CVE-2023-34455  High | CVE-2023-43642 High | CVE-2024-25638 Low | CVE-2024-23454 Medium | CVE-2013-6429 Medium | CVE-2015-3192 Critical | OVERRIDDEN:CVE-2016-1000027 High | CVE-2024-22243 High | CVE-2024-22259 High | CVE-2024-22262 Medium | OVERRIDDEN:CVE-2024-38809 High | CVE-2024-7254 Medium | CVE-2013-6429 Medium | DSA-2857-1 libspring-java Medium | CVE-2015-3192 Critical | OVERRIDDEN:CVE-2016-1000027 High | CVE-2024-22243 High | CVE-2024-22259 High | CVE-2024-22262 Medium | OVERRIDDEN:CVE-2024-38809

Couple of Questions:

  1. Is there an active effort to address these image vulnerabilities? If so, is there a timeline for releasing patched images?
  2. Are there any plans to adopt a regular security review process or release cadence to minimize vulnerabilities in future image releases?

Thank you for your hard work on Trino! Please let us know if the community can assist or provide feedback in addressing these issues.

nineinchnick commented 3 weeks ago

Can you identify the affected component for every vulnerability? Otherwise it's impossible to process that list

mosabua commented 3 weeks ago

Please assess each issue and determine if it is actually real or just a false alarm from some buggy scanning tool that does not understand the context of the library usage. Then propose remediation for each security problem in an issue and ideally create a pull request with a proposed fix. Keep in mind that we are NOT doing any patch releases or anything like that but will just fix issues and roll the fixes into new releases.

With regards to your questions:

We already have an active monitoring for security issues with all our dependency upgrades and as part of our regular development and releases. Fixes are rolled into new releases. There are no patch releases - if you need fixes for an old release please backport on your own fork or get assistance from a vendor.

mosabua commented 3 weeks ago

Since this issue as it stands is not actionable I am closing this.