hive-metastore-3.1.3.jar: 4 vulnerabilities (highest severity is: 8.7)

[dev-mend-for-github.aaakk.us.kg]

Vulnerable Library - hive-metastore-3.1.3.jar

Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-common/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/pom.xml,/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service-nar/pom.xml

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (hive-metastore version)	Remediation Possible**
CVE-2022-3509	High	8.7	protobuf-java-2.5.0.jar	Transitive	4.0.0	✅
CVE-2021-22569	High	8.7	protobuf-java-2.5.0.jar	Transitive	4.0.0	✅
CVE-2018-1320	High	8.7	libthrift-0.9.3.jar	Transitive	4.0.0	✅
CVE-2022-3171	Medium	5.3	protobuf-java-2.5.0.jar	Transitive	4.0.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-3509

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://code.google.com/p/protobuf

Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-common/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/pom.xml,/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service-nar/pom.xml

Dependency Hierarchy:

• hive-metastore-3.1.3.jar (Root Library)
  • hive-serde-3.1.3.jar
    • hive-common-3.1.3.jar
      • dropwizard-metrics-hadoop-metrics2-reporter-0.1.2.jar
        • hadoop-common-3.3.6.jar
          • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-11-01

URL: CVE-2022-3509

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (org.apache.hive:hive-metastore): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22569

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://code.google.com/p/protobuf

Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-common/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/pom.xml,/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service-nar/pom.xml

Dependency Hierarchy:

• hive-metastore-3.1.3.jar (Root Library)
  • hive-serde-3.1.3.jar
    • hive-common-3.1.3.jar
      • dropwizard-metrics-hadoop-metrics2-reporter-0.1.2.jar
        • hadoop-common-3.3.6.jar
          • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-07

URL: CVE-2021-22569

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1

Direct dependency fix Resolution (org.apache.hive:hive-metastore): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-1320

Vulnerable Library - libthrift-0.9.3.jar

Thrift is a software framework for scalable cross-language services development.

Library home page: http://thrift.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml

Dependency Hierarchy:

• hive-metastore-3.1.3.jar (Root Library)
  • hive-serde-3.1.3.jar
    • hive-common-3.1.3.jar
      • hive-shims-3.1.3.jar
        • hive-shims-common-3.1.3.jar
          • ❌ libthrift-0.9.3.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Publish Date: 2019-01-07

URL: CVE-2018-1320

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320

Release Date: 2019-01-07

Fix Resolution (org.apache.thrift:libthrift): 0.9.3-1

Direct dependency fix Resolution (org.apache.hive:hive-metastore): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3171

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://code.google.com/p/protobuf

Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-common/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml,/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-nar/pom.xml,/nifi-nar-bundles/nifi-atlas-bundle/nifi-atlas-reporting-task/pom.xml,/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service-nar/pom.xml

Dependency Hierarchy:

• hive-metastore-3.1.3.jar (Root Library)
  • hive-serde-3.1.3.jar
    • hive-common-3.1.3.jar
      • dropwizard-metrics-hadoop-metrics2-reporter-0.1.2.jar
        • hadoop-common-3.3.6.jar
          • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 4 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (org.apache.hive:hive-metastore): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.