Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE] Upgrade dependencies for Azure related plugins to mitigate CVEs #661

Closed
wants to merge 4 commits into from
Closed

[CVE] Upgrade dependencies for Azure related plugins to mitigate CVEs #661

wants to merge 4 commits into from

Conversation

abbashus
Copy link
Contributor

@abbashus abbashus commented May 5, 2021
edited
Loading

Description

This PR aims to upgrade the dependencies to resolve the respective CVE's:

Dependency Update To Module CVE's
commons-io-2.4.jar 2.7 discovery-azure-classic https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
jackson-mapper-asl-1.9.2.jar com.fasterxml.jackson.core:jackson-databind:2.9.9 discovery-azure-classic https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172 , https://access.redhat.com/errata/RHSA-2019:2938
guava-20.0.jar 30.1.1-jre repository-azure https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Issues Resolved

Relates #646

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Abbas Hussain abbas_10690@yahoo.com

@abbashus
Update commons-io-2.4.jar to 2.7 for plugins/discovery-azure-classic …
2ec616e 
…module

Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
@opensearch-ci-bot
Copy link
Collaborator

✅   DCO Check Passed 2ec616e

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Wrapper Validation success 2ec616e

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Precommit success 2ec616e

@adnapibar
Copy link
Contributor

As per the google/guava#4011 v30.0 does not fix the CVE. I think we need to update to 30.1.1

@abbashus
Copy link
Contributor Author

abbashus commented May 5, 2021
edited
Loading

guava:30.1.1-jre also does not fix it, though we should still upgrade it to this version. The correct fix is to use the more secure java.nio.file.Files.createTempDirectory() API.

For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

@abbashus abbashus self-assigned this May 5, 2021
@abbashus abbashus added the CVE Fixes a CVE label May 5, 2021
@abbashus abbashus marked this pull request as draft May 5, 2021 22:39
@opensearch-ci-bot
Copy link
Collaborator

❌   DCO Check Failed 3cebd9688626ce12b8176fc79c69408c24b4f27b
Run ./dev-tools/signoff-check.sh remotes/origin/main 3cebd9688626ce12b8176fc79c69408c24b4f27b to check locally
Use git commit with -s to add 'Signed-of-by: {EMAIL}' on impacted commits

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Wrapper Validation success 3cebd9688626ce12b8176fc79c69408c24b4f27b

@abbashus
Merge branch 'main' into fix-cve
be4cf8f 
Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
@opensearch-ci-bot
Copy link
Collaborator

✅   DCO Check Passed be4cf8f

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Wrapper Validation success be4cf8f

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Precommit success 3cebd9688626ce12b8176fc79c69408c24b4f27b

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Precommit success be4cf8f

@rursprung rursprung mentioned this pull request May 6, 2021
Closed
@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Wrapper Validation success 249131c13912282db0a9f0fda6683d5eada65545

@opensearch-ci-bot
Copy link
Collaborator

❌   DCO Check Failed 249131c13912282db0a9f0fda6683d5eada65545
Run ./dev-tools/signoff-check.sh remotes/origin/main 249131c13912282db0a9f0fda6683d5eada65545 to check locally
Use git commit with -s to add 'Signed-of-by: {EMAIL}' on impacted commits

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Precommit success 249131c13912282db0a9f0fda6683d5eada65545

@abbashus
Merge branch 'main' into fix-cve
f3eea4f 
Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
@opensearch-ci-bot
Copy link
Collaborator

❌   DCO Check Failed f3eea4f
Run ./dev-tools/signoff-check.sh remotes/origin/main f3eea4ffe391cc2068412f420fe7e07abcad6439 to check locally
Use git commit with -s to add 'Signed-of-by: {EMAIL}' on impacted commits

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Wrapper Validation success f3eea4f

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Precommit success f3eea4f

@abbashus
Copy link
Contributor Author

Closing in lieu of #688

@abbashus abbashus closed this May 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz will be requested when the pull request is marked ready for review anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross will be requested when the pull request is marked ready for review andrross is a code owner

@ashking94 ashking94 Awaiting requested review from ashking94 ashking94 will be requested when the pull request is marked ready for review ashking94 is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar will be requested when the pull request is marked ready for review Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE will be requested when the pull request is marked ready for review CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock will be requested when the pull request is marked ready for review dblock is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis will be requested when the pull request is marked ready for review dbwiddis is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna will be requested when the pull request is marked ready for review gbbafna is a code owner

@jainankitk jainankitk Awaiting requested review from jainankitk jainankitk will be requested when the pull request is marked ready for review jainankitk is a code owner

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal will be requested when the pull request is marked ready for review kotwanikunal is a code owner

@linuxpi linuxpi Awaiting requested review from linuxpi linuxpi will be requested when the pull request is marked ready for review linuxpi is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 will be requested when the pull request is marked ready for review mch2 is a code owner

@msfroh msfroh Awaiting requested review from msfroh msfroh will be requested when the pull request is marked ready for review msfroh is a code owner

@nknize nknize Awaiting requested review from nknize nknize will be requested when the pull request is marked ready for review nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 will be requested when the pull request is marked ready for review owaiskazi19 is a code owner

@reta reta Awaiting requested review from reta reta will be requested when the pull request is marked ready for review reta is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 will be requested when the pull request is marked ready for review Rishikesh1159 is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale will be requested when the pull request is marked ready for review sachinpkale is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli will be requested when the pull request is marked ready for review saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja will be requested when the pull request is marked ready for review shwetathareja is a code owner

@sohami sohami Awaiting requested review from sohami sohami will be requested when the pull request is marked ready for review sohami is a code owner

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah will be requested when the pull request is marked ready for review VachaShah is a code owner

Assignees

@abbashus abbashus

Labels
CVE Fixes a CVE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abbashus @opensearch-ci-bot @adnapibar