[GitHub] [pinot] andscoop opened a new issue, #10311: Security Concerns in the Pinot Docker Image and Java Depedencies

via GitHub Mon, 20 Feb 2023 07:31:57 -0800


andscoop opened a new issue, #10311:
URL: https://github.com/apache/pinot/issues/10311


   Pinot is falling behind on image and dependency security. In addition to 
#10274, I have two other high-level concerns that are going to affect security 
conscious organizations ability to run Apache Pinot on production 
infrastructure.
   
   I'm curious to hear the team's thoughts on the issues below. 
   
   ### docker image concerns
   `pinot-base` image is currently based on the `openjdk` 
[image](https://hub.docker.com/_/openjdk) which is "officially deprecated" and 
for "non-production builds". Our security software is noting vulnerabilities 
that would likely be fixed from changing the base image. 
   
   Pinot users should be able to solve image layer issues easily themselves by 
either building or pulling artifacts directly into an image of their choice. 
This responsibility does not fall entirely on Apache Pinot, but if pinot-base 
continues to use openjdk, I do believe non-production should be specified where 
ever the image is mentioned.
   
   ### Apache Pinot Java Dependencies
   Apache Pinot java dependencies themselves are probably the greater cause for 
concern. When pulling artifacts from the 0.12.0 release into our image, our 
security scan is flagging the CVEs listed below.
   
   Of course the responsibility does not fall entirely on the maintainers of 
the open source project. I have created #10304 to get a feel for contributing. 
I do have concerns that some of these deps upgrades are non-trivial and will 
likely require intimate knowledge of the project, or at least more java 
knowledge than I currently possess. 
   
   ```
   15:47:14.189 I Image Vulnerabilities
   15:47:14.189 I ID                    Severity        Package Name            
        Package Version
   15:47:14.189 I CVE-2022-25168        critical        
org.apache.hadoop_hadoop-hdfs   2.10.1
   15:47:14.189 I CVE-2022-23305        critical        log4j_log4j             
        1.2.17
   15:47:14.189 I CVE-2021-37404        critical        
org.apache.hadoop_hadoop-hdfs   2.10.1
   15:47:14.189 I CVE-2020-9548         critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-9547         critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-9546         critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-9493         critical        log4j_log4j             
        1.2.17
   15:47:14.189 I CVE-2020-8840         critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2019-20330        critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2019-17571        critical        log4j_log4j             
        1.2.17
   15:47:14.189 I CVE-2019-17531        critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2019-16943        critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2019-16942        critical        
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2018-7489         critical        
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.189 I CVE-2019-20445        critical        io.netty_netty          
        3.10.6
   15:47:14.189 I CVE-2019-20444        critical        io.netty_netty          
        3.10.6
   15:47:14.189 I CVE-2022-26612        critical        
org.apache.hadoop_hadoop-common 2.10.1
   15:47:14.189 I CVE-2022-25168        critical        
org.apache.hadoop_hadoop-common 2.10.1
   15:47:14.189 I CVE-2021-37404        critical        
org.apache.hadoop_hadoop-common 2.10.1
   15:47:14.189 I CVE-2022-23307        high            log4j_log4j             
        1.2.17
   15:47:14.189 I CVE-2022-23302        high            log4j_log4j             
        1.2.17
   15:47:14.189 I CVE-2021-33036        high            
org.apache.hadoop_hadoop-hdfs   2.10.1
   15:47:14.189 I CVE-2021-25642        high            
org.apache.hadoop_hadoop-hdfs   2.10.1
   15:47:14.189 I CVE-2020-11113        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-11112        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-11111        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-10969        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-10968        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-10673        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-10672        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2021-20190        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36189        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36188        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36187        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36186        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36185        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36184        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.189 I CVE-2020-36183        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-36182        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-36181        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-36180        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-36179        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-35728        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-35491        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-35491        high            
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.190 I CVE-2020-35490        high            
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.190 I CVE-2020-35490        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-24750        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-24616        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-14195        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-14062        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-14061        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-14060        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-11620        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-11619        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-10650        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-10650        high            
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.190 I CVE-2022-42004        high            
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.190 I CVE-2022-42004        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2022-42004        high            
com.fasterxml.jackson.core_jackson-databind     2.12.7
   15:47:14.190 I CVE-2022-42003        high            
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.190 I CVE-2022-42003        high            
com.fasterxml.jackson.core_jackson-databind     2.12.7
   15:47:14.190 I CVE-2022-42003        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2022-41881        high            io.netty_netty-all      
        4.1.79
   15:47:14.190 I CVE-2022-41881        high            io.netty_netty          
        3.10.6
   15:47:14.190 I CVE-2022-41881        high            io.netty_netty-codec    
        4.1.79
   15:47:14.190 I CVE-2021-37137        high            io.netty_netty          
        3.10.6
   15:47:14.190 I CVE-2021-37136        high            io.netty_netty          
        3.10.6
   15:47:14.190 I CVE-2020-36518        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.190 I CVE-2020-36518        high            
com.fasterxml.jackson.core_jackson-databind     2.4.0
   15:47:14.190 I CVE-2020-25649        high            
com.fasterxml.jackson.core_jackson-databind     2.9.10
   15:47:14.191 I CVE-2019-16869        high            io.netty_netty          
        3.10.6
   15:47:14.191 I CVE-2021-22573        high            
com.google.oauth-client_google-oauth-client     1.31.0
   15:47:14.191 I CVE-2022-45693        high            
org.codehaus.jettison_jettison  1.1
   15:47:14.191 I CVE-2022-45685        high            
org.codehaus.jettison_jettison  1.1
   15:47:14.191 I CVE-2022-40150        high            
org.codehaus.jettison_jettison  1.1
   15:47:14.191 I CVE-2022-3510         high            
com.google.protobuf_protobuf-java       3.19.2
   15:47:14.191 I CVE-2022-3509         high            
com.google.protobuf_protobuf-java       3.19.2
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

[GitHub] [pinot] andscoop opened a new issue, #10311: Security Concerns in the Pinot Docker Image and Java Depedencies

Reply via email to