Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3592

Vulnerable dependencies in your project.(CVEs)

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Closed
    • Major
    • Resolution: Invalid
    • None
    • None
    • None
    • None

    Description

      Hi,
      I found some CVEs in the library dependencies, which may affect the security of your projects. In order to avoid threats, I recommend updating to a safe version. Here is the detailed information:

      Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.8.5
      CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
      Import Path: external/storm-hdfs/pom.xml, external/storm-hdfs-blobstore/pom.xml, external/storm-blobstore-migration/pom.xml
      Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1

      Vulnerable Library Version: org.eclipse.jetty : jetty-server : 9.4.14.v20181114
      CVE ID: [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247)
      Import Path: examples/storm-loadgen/pom.xml, storm-core/pom.xml
      Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

      Vulnerable Library Version: org.apache.commons : commons-compress : 1.18
      CVE ID: [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
      Import Path: storm-server/pom.xml, examples/storm-pmml-examples/pom.xml
      Suggested Safe Versions: 1.19, 1.20

      Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.4.14.v20181114
      CVE ID: [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241)
      Import Path: storm-core/pom.xml
      Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

      Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.11.0.3
      CVE ID: [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
      Import Path: external/storm-kafka-client/pom.xml, external/storm-kafka-client/pom.xml
      Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0

      Vulnerable Library Version: com.google.guava : guava : 17.0
      CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
      Import Path: external/storm-solr/pom.xml, examples/storm-solr-examples/pom.xml
      Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre

      Vulnerable Library Version: com.google.guava : guava : 16.0.1
      CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
      Import Path: sql/storm-sql-runtime/pom.xml, sql/storm-sql-external/storm-sql-hdfs/pom.xml...(The rest of the 17 paths is hidden.)
      Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre

      Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.3
      CVE ID: [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320)
      Import Path: external/storm-hive/pom.xml
      Suggested Safe Versions: 0.12.0, 0.13.0
      Vulnerable Library Version: org.apache.activemq : activemq-client : 5.15.8
      CVE ID: [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
      Import Path: examples/storm-jms-examples/pom.xml
      Suggested Safe Versions: 5.15.10, 5.15.11, 5.15.9

      Vulnerable Library Version: org.apache.solr : solr-core : 5.5.5
      CVE ID: [CVE-2017-3164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164), [CVE-2019-0192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192)
      Import Path: external/storm-solr/pom.xml
      Suggested Safe Versions: 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1

      Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.14
      CVE ID: [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
      Import Path: examples/storm-mqtt-examples/pom.xml
      Suggested Safe Versions: 1.16

      Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.10
      CVE ID: [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
      Import Path: external/storm-mqtt/pom.xml
      Suggested Safe Versions: 1.16

      Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.9.8
      CVE ID: [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-16335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379), [CVE-2019-14540](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540), [CVE-2019-17267](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942)
      Import Path: sql/storm-sql-runtime/pom.xml, external/storm-hbase/pom.xml, external/storm-elasticsearch/pom.xml, external/storm-kafka-migration/pom.xml, external/storm-redis/pom.xml, external/storm-opentsdb/pom.xml, external/storm-kafka-client/pom.xml, storm-webapp/pom.xml
      Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. STORM-3824 upgrade httpclient due to security issues

          • Major - Major loss of function.
          • Resolved

          Dependency upgrade - Upgrading a dependency to a newer version STORM-3821 use commons-compress 1.21 due to security issues

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              XuCY XuCongying
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: