Uploaded image for project: 'Kylin'
  1. Kylin
  2. KYLIN-2879

Upgrade Spring & Spring Security to fix potential vulnerability

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • v2.2.0
    • None
    • None

    Description

      After running against VersionEye, the system shows that Kylin has "14 known security vulnerabilities. ". They are from commons-fileupload, commons-email, xercesImpl, spring-webmvc, spring jdbc, spring aop, spring-context-support, spring-test, spring-security-core, tomcat-catalina, spring-core libraries. Upgrade to newer version will fix the vulnerabilities.

      Following is the detail report:

      commons-fileupload : 1.3.1

      2016-3092
      Apache Commons Fileupload: Denial of Service
      https://bugzilla.redhat.com/show_bug.cgi?id=1349475
      http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
      http://tomcat.apache.org/security.html
      http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
      Affected versions: <=1.3.1,1.3 && <=1.2.2,1.2
      Mute this security issue
      CVE-2016-3092
      CVE-2016-3092
      https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
      Affected versions: 1.3.1
      Mute this security issue
      2016-1000031
      Apache Commons FileUpload Deserialization Gadget
      https://www.tenable.com/security/research/tra-2016-12
      https://issues.apache.org/jira/browse/FILEUPLOAD-279
      https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
      Affected versions: <=1.3.2
      Mute this security issue
      commons-email : 1.4

      2017-9801
      SMTP header injection vulnerabilty
      https://commons.apache.org/proper/commons-email/security-reports.html
      https://nvd.nist.gov/vuln/detail/CVE-2017-9801
      Affected versions: <=1.4
      Mute this security issue
      xercesImpl : 2.11.0

      2013-4002
      Apache Xerces: XMLScanner resource exhaustion
      https://bugzilla.redhat.com/CVE-2013-4002
      http://svn.apache.org/viewvc?view=revision&revision=1499506
      Affected versions: <=2.11.0
      Mute this security issue
      spring-webmvc : 4.2.8.RELEASE

      CVE-2016-9878
      CVE-2016-9878
      https://pivotal.io/security/cve-2016-9878
      Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
      Mute this security issue
      spring-jdbc : 4.2.8.RELEASE

      CVE-2016-9878
      CVE-2016-9878
      https://pivotal.io/security/cve-2016-9878
      Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
      Mute this security issue
      spring-aop : 4.2.8.RELEASE

      CVE-2016-9878
      CVE-2016-9878
      https://pivotal.io/security/cve-2016-9878
      Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
      Mute this security issue
      spring-context-support : 4.2.8.RELEASE

      CVE-2016-9878
      CVE-2016-9878
      https://pivotal.io/security/cve-2016-9878
      Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
      Mute this security issue
      spring-test : 4.2.8.RELEASE

      CVE-2016-9878
      CVE-2016-9878
      https://pivotal.io/security/cve-2016-9878
      Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
      Mute this security issue
      spring-security-core : 4.0.4.RELEASE

      2016-5007
      Spring Security / MVC Path Matching Inconsistency
      https://pivotal.io/security/cve-2016-5007
      Affected versions: <=4.1.0.RELEASE
      Mute this security issue
      tomcat-catalina : 7.0.69

      2016-3092
      Apache Commons Fileupload: Denial of Service
      https://bugzilla.redhat.com/show_bug.cgi?id=1349475
      http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
      http://tomcat.apache.org/security.html
      http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
      Affected versions: <=9.0.0.M7,9 && <=8.5.2,8.5 && <=8.0.35,8.0 && <=7.0.69,7

      Attachments

        Activity

          People

            yimingliu Billy Liu
            yimingliu Billy Liu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: