Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-3793

Zeppelin third party libraries has security vulnerability issues CVE-2015-3254 CVE-2017-15288

    XMLWordPrintableJSON

    Details

      Description

      Zeppelin uses org.apache.thrift:0.9.2 which has following security vulnerability.
      Vulnerability details:
      Number:CVE-2015-3254
      Description:

      The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

      (source:https://www.cvedetails.com/cve/CVE-2015-3254/)

      The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

      (source:https://www.cvedetails.com/cve/CVE-2016-5397/ )

      Is there any upgrade/alternate planned for above issue?

      When i used org.apache.thrift 0.10.0. and 0.11.0 shows compilation error when i build from source

      also we have few more similar issues

      org.apache.thrift->libthrift->0.9.2 CVE-2015-3254 Fails to compile
      org.scala-lang->scala-library->2.11.7 CVE-2017-15288 Not feasible
      com.google.code.gson->gson-> 2.2 Fails to compile
      jackson-databind->2.8.11.1->apache->2.9.7 Fails to compile
      jackson-annotations->2.8.0->apache->2.9.7 Fails to compile

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              vinayakshedgeri vinayak shedgeri
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified