hazelcast-jet icon indicating copy to clipboard operation
hazelcast-jet copied to clipboard

Published 20 hours ago verified publisher icon hazelcast

Vulnerabilities in AWS Java SDK Bundle used by Jet master

Open olukas opened this issue 3 years ago • 4 comments

Jet uses AWS Java SDK Bundle 1.11.934 which has shaded some artifacts with vulnerabilities.

It shades com.fasterxml.jackson.core:jackson-databind:2.6.7.4 which includes following vulnerabilities:

  • CVE-2020-35491 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in 2.9.10.8)
  • CVE-2020-35490 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in 2.9.10.8)
  • CVE-2018-7489 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in before 2.7.9.3, 2.8.11.1, 2.9.5)

It shades com.amazonaws:aws-java-sdk-prometheus:1.11.934 which includes following vulnerabilities:

  • CVE-2019-3826 - https://nvd.nist.gov/vuln/detail/CVE-2019-3826 (fixed in 2.7.1)

It shades com.fasterxml.jackson.core:jackson-annotations:2.6.0 and com.fasterxml.jackson.core:jackson-core:2.6.7 which includes following vulnerabilities:

  • CVE-2018-1000873 - https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 (fixed in 2.9.8)

It shades io.netty:netty-transport:4.1.53.Final which includes following vulnerabilities:

  • CVE-2021-21290 - https://nvd.nist.gov/vuln/detail/CVE-2021-21290 (fixed in 4.1.59.Final)

olukas avatar Mar 16 '21 10:03 olukas

We already use the latest, as of today, version of AWS Java SDK Bundle (1.11.976) - #2989 addressed the Netty part.

gierlachg avatar Mar 17 '21 14:03 gierlachg

There is a new reported CVE for this version. AWS Java SDK Bundle 1.11.976 shades com.amazonaws:aws-java-sdk-storagegateway:1.11.976 which includes following vulnerability:

  • CVE-2021-20291 - https://nvd.nist.gov/vuln/detail/CVE-2021-20291

olukas avatar Apr 08 '21 11:04 olukas

There is a new reported CVE for this version. AWS Java SDK Bundle 1.11.976 shades io.netty:netty-transport:4.1.59.Final which includes following vulnerability:

  • CVE-2021-21409 - https://nvd.nist.gov/vuln/detail/CVE-2021-21409
  • CVE-2021-21295 - https://nvd.nist.gov/vuln/detail/CVE-2021-21295

olukas avatar Apr 13 '21 06:04 olukas

In Jet 4.5.2 we migrated to AWS Java SDK Bundle 1.12.128 which has shaded some artifacts with vulnerabilities.

It shades com.amazonaws:aws-java-sdk-prometheus:1.12.128 which includes following vulnerabilities:

  • CVE-2019-3826 - https://nvd.nist.gov/vuln/detail/CVE-2019-3826 (fixed in 2.7.1)

It shades com.amazonaws:aws-java-sdk-storagegateway:1.12.128 which includes following vulnerabilities:

  • CVE-2021-20291 - https://nvd.nist.gov/vuln/detail/CVE-2021-20291 (fixed in 1.28.1)

It shades io.netty:netty-transport:4.1.68.Final which includes following vulnerabilities:

  • CVE-2021-43797 - https://nvd.nist.gov/vuln/detail/CVE-2021-43797 (fixed in 4.1.7.1.Final)

olukas avatar Dec 16 '21 09:12 olukas