Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-4732

Maven junction plugin security threat

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0, 1.1.3
    • Component/s: Build System
    • Labels:
      None

      Description

      We use the Maven Junction plugin http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html to create a symbolic link to the build directory. On Windows, the plugin downloads an executable from the author's homepage which may be modified by an attacker. The plugin has not been updated since 2007 and the maintainer has not shown interest to fix the issue.

      I propose to remove the plugin while this security threat persists.

        Issue Links

          Activity

          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user mxm opened a pull request:

          https://github.com/apache/flink/pull/2586

          FLINK-4732 remove maven junction plugin

          On Windows, the plugin may download code from the author's web
          site. The downloaded file is not signed in the same way as Maven
          artifacts from Maven central which have to be signed with the
          developer's key. This could be a potential target for attackers.

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/mxm/flink FLINK-4732

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/flink/pull/2586.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #2586


          commit dcdac00a0432f66bbf2992c8cfcc502d41a7d8c2
          Author: Maximilian Michels <mxm@apache.org>
          Date: 2016-10-04T09:12:35Z

          FLINK-4732 remove maven junction plugin

          On Windows, the plugin may download code from the author's web
          site. The downloaded file is not signed in the same way as Maven
          artifacts from Maven central which have to be signed with the
          developer's key. This could be a potential target for attackers.


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user mxm opened a pull request: https://github.com/apache/flink/pull/2586 FLINK-4732 remove maven junction plugin On Windows, the plugin may download code from the author's web site. The downloaded file is not signed in the same way as Maven artifacts from Maven central which have to be signed with the developer's key. This could be a potential target for attackers. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mxm/flink FLINK-4732 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/2586.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2586 commit dcdac00a0432f66bbf2992c8cfcc502d41a7d8c2 Author: Maximilian Michels <mxm@apache.org> Date: 2016-10-04T09:12:35Z FLINK-4732 remove maven junction plugin On Windows, the plugin may download code from the author's web site. The downloaded file is not signed in the same way as Maven artifacts from Maven central which have to be signed with the developer's key. This could be a potential target for attackers.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user mxm commented on the issue:

          https://github.com/apache/flink/pull/2586

          CC @uce

          Show
          githubbot ASF GitHub Bot added a comment - Github user mxm commented on the issue: https://github.com/apache/flink/pull/2586 CC @uce
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user uce commented on the issue:

          https://github.com/apache/flink/pull/2586

          Thanks! It's good to address this. I really liked the symbolic link, maybe we can enable it again after this has been resolved by the Maven plugin.

          +1 to merge this to `master` and `release-1.1` branches.

          Show
          githubbot ASF GitHub Bot added a comment - Github user uce commented on the issue: https://github.com/apache/flink/pull/2586 Thanks! It's good to address this. I really liked the symbolic link, maybe we can enable it again after this has been resolved by the Maven plugin. +1 to merge this to `master` and `release-1.1` branches.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user mxm commented on the issue:

          https://github.com/apache/flink/pull/2586

          Merging to both branches.

          Show
          githubbot ASF GitHub Bot added a comment - Github user mxm commented on the issue: https://github.com/apache/flink/pull/2586 Merging to both branches.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/flink/pull/2586

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/flink/pull/2586
          Hide
          mxm Maximilian Michels added a comment -

          master: 5a573c6bc29c313d34981336d5bfc05185d323d2
          release-1.1: a31a22ec7fc08cce8da4e5e97010d1b2cf8124e7

          Show
          mxm Maximilian Michels added a comment - master: 5a573c6bc29c313d34981336d5bfc05185d323d2 release-1.1: a31a22ec7fc08cce8da4e5e97010d1b2cf8124e7
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user mxm commented on the issue:

          https://github.com/apache/flink/pull/2586

          Merged to `master` and `release-1.1`.

          @uce I also like the symbolic link. I contacted the maintainer of the plugin because it wouldn't be hard to fix this nowadays with Java 7+ which supports the creation of symbolic links. I think the lack of this was the reason why the author chose to download a binary. However, I don't know why he didn't simply ship it with the jar which should have been possible.

          Show
          githubbot ASF GitHub Bot added a comment - Github user mxm commented on the issue: https://github.com/apache/flink/pull/2586 Merged to `master` and `release-1.1`. @uce I also like the symbolic link. I contacted the maintainer of the plugin because it wouldn't be hard to fix this nowadays with Java 7+ which supports the creation of symbolic links. I think the lack of this was the reason why the author chose to download a binary. However, I don't know why he didn't simply ship it with the jar which should have been possible.

            People

            • Assignee:
              mxm Maximilian Michels
              Reporter:
              mxm Maximilian Michels
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development