JanusGraph
Vulnerabilities in JanusGraph dependencies
Hello all,
Running a Trivy vulnerabilities scan through the latest release (v1.0.0) there are several issues related to the elasticsearch client for version 7. Could you confirm whether JanusGraph is affected by these vulnerabilities and if so, are there plans to update the related dependencies?
Steps to reproduce:
$ curl -LO https://github.com/JanusGraph/janusgraph/releases/download/v1.0.0/janusgraph-full-1.0.0.zip
$ unzip janusgraph-full-1.0.0.zip
$ trivy roofs janusgraph-full-1.0.0
...
│ org.elasticsearch:elasticsearch (elasticsearch-7.17.8.jar) │ CVE-2023-31418 │ HIGH │ │ 7.17.8 │ 7.17.13, 8.9.0 │ elasticsearch: uncontrolled resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31418 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31417 │ MEDIUM │ │ │ 7.17.13, 8.9.2 │ elasticsearch: Sensitive information in audit logs │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31417 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31419 │ │ │ │ 7.17.13, 8.9.1 │ elasticsearch: StackOverflow vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31419 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-46673 │ │ │ │ 7.17.14, 8.10.3 │ elasticsearch: Improper Handling of Exceptional Conditions │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46673 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-23450 │ │ │ │ 7.17.19, 8.13.0 │ elasticsearch: Possible denial of service when processing │
│ │ │ │ │ │ │ documents in a deeply nested... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23450 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.xerial.snappy:snappy-java (snappy-java-1.1.2.6.jar) │ CVE-2023-34455 │ HIGH │ │ 1.1.2.6 │ 1.1.10.1 │ snappy-java: Unchecked chunk length leads to DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-34455 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-43642 │ │ │ │ 1.1.10.4 │ snappy-java: Missing upper bound check on chunk length in │
│ │ │ │ │ │ │ snappy-java can lead... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-43642 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-34453 │ MEDIUM │ │ │ 1.1.10.1 │ snappy-java: Integer overflow in shuffle leads to DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-34453 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-34454 │ │ │ │ │ snappy-java: Integer overflow in compress leads to DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-34454 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (snakeyaml-1.26.jar) │ CVE-2022-1471 │ HIGH │ │ 1.26 │ 2.0 │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1471 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-25857 │ │ │ │ 1.31 │ snakeyaml: Denial of Service due to missing nested depth │
│ │ │ │ │ │ │ limitation for collections... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25857 │
│ ├─────────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38749 │ MEDIUM │ │ │ │ snakeyaml: Uncaught exception in │
│ │ │ │ │ │ │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38749 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38750 │ │ │ │ │ snakeyaml: Uncaught exception in │
│ │ │ │ │ │ │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│ │ │ │ │ │ │ ect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38750 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38751 │ │ │ │ │ snakeyaml: Uncaught exception in │
│ │ │ │ │ │ │ java.base/java.util.regex.Pattern$Ques.match │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38751 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38752 │ │ │ │ 1.32 │ snakeyaml: Uncaught exception in │
│ │ │ │ │ │ │ java.base/java.util.ArrayList.hashCode │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38752 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41854 │ │ │ │ │ dev-java/snakeyaml: DoS via stack overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41854 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (elasticsearch-sql-cli-7.17.8.jar) │ CVE-2022-1471 │ HIGH │ │ 1.33 │ 2.0 │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1471 │
├──────────────────────────────────────────────────────────────┤ │ │ │ │ │ │
│ org.yaml:snakeyaml (snakeyaml-1.33.jar) │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
Is there any plan to update this client?
Looks like we currently only ship Elasticsearch in this version because we still support Java 8: https://github.com/JanusGraph/janusgraph/blob/d9f89edeb820053bfd4459879d39238e23a4b112/janusgraph-dist/pom.xml#L204-L209
apart from that we are already on Elasticsearch 8.10.4: https://github.com/JanusGraph/janusgraph/blob/d9f89edeb820053bfd4459879d39238e23a4b112/pom.xml#L77
So I guess we also need to abandon Java 8 here to make any progress: #3547.
I haven't looked into the vulnerabilities themselves though so I can't say whether we are affected by them at all or not.
However, this is only a problem if you're using the full distribution which comes with a complete installation of Elasticsearch & Cassandra. We mostly see this as a distribution to get users quickly up to speed with JanusGraph. For production use cases, especially if security is important, then I'd recommend to use the default distribution (janusgraph-1.0.0.zip) and to deploy your own installation of Cassandra & Elasticsearch. That also enables you to deploy these backends in a more recent version.
And in general, we are of course eager to keep our dependencies up-to-date. We are using Dependabot for example to automatically get PRs for dependency updates and we are also using Trivy scans as part of our CI pipeline.
