Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Upgrade dependencies to fix severity #142

Closed
ilovechai opened this issue Mar 29, 2023 · 2 comments
Closed

[Security] Upgrade dependencies to fix severity #142

ilovechai opened this issue Mar 29, 2023 · 2 comments
Labels
no-issue-activity

Comments

@ilovechai
Copy link
Contributor

Image Package Version Path Type CVE CVSS Severity Status HasFix Exploit Scanners
omag-hms-connector bzip2-libs 1.0.6-26.el8 os CVE-2019-12900 4 low N aqua-
omag-hms-connector calcite-core 1.16.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-13955 5.9 medium Upgrade package calcite-core to version 1.26.0 or above. Y aqua
omag-hms-connector calcite-core 1.16.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-13955 5.9 medium Upgrade package calcite-core to version 1.26.0 or above. Y aqua
omag-hms-connector calcite-core 1.16.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-39135 9.8 critical Upgrade package calcite-core to version 1.32.0 or above. Y aqua
omag-hms-connector com.fasterxml.jackson.core_jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar CVE-2019-14439 7.5 high fixed in 2.9.9.2 Y twistlock-
omag-hms-connector commons-codec_commons-codec 1.7 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar PRISMA-2021-0055 0 low fixed in 1.13 Y twistlock-
omag-hms-connector commons-io 2.4 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2021-29425 4.8 medium Upgrade package commons-io to version 2.7 or above. Y aqua
omag-hms-connector commons-net 3.6 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2021-37533 6.5 medium Upgrade package commons-net to version 3.9.0 or above. Y aqua
omag-hms-connector gmp 6.1.2-10.el8 os CVE-2021-43618 6.2 low N aqua-
omag-hms-connector gnupg2 2.2.20-3.el8_6 os CVE-2022-3219 6.2 low N aqua-
omag-hms-connector gnutls 3.6.16-5.el8_6 os CVE-2021-4209 6.5 low N aqua-
omag-hms-connector gnutls 3.6.16-5.el8_6 os CVE-2023-0361 7.4 medium affected N aqua
omag-hms-connector guava 19.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-10237 5.9 medium Upgrade package guava to version 24.1.1 or above. Y aqua
omag-hms-connector guava 19.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-8908 3.3 low Upgrade package guava to version 30.0 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-12022 7.5 high Upgrade package jackson-databind to version 2.9.6 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-12023 7.5 high Upgrade package jackson-databind to version 2.9.6 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-14718 9.8 critical Upgrade package jackson-databind to version 2.9.7 or above. Y
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-14719 9.8 critical Upgrade package jackson-databind to version 2.9.7 or above. Y
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-14720 9.8 critical Upgrade package jackson-databind to version 2.9.7 or above. Y
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-14721 10 critical Upgrade package jackson-databind to version 2.9.7 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-19360 9.8 critical Upgrade package jackson-databind to version 2.9.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-19361 9.8 critical Upgrade package jackson-databind to version 2.9.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2018-19362 9.8 critical Upgrade package jackson-databind to version 2.9.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-12086 7.5 high Upgrade package jackson-databind to version 2.9.9 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-12384 5.9 medium Upgrade package jackson-databind to version 2.9.9.1 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-12814 5.9 medium Upgrade package jackson-databind to version 2.9.9.1 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-14379 9.8 critical Upgrade package jackson-databind to version 2.9.9.2 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-14540 9.8 critical Upgrade package jackson-databind to version 2.9.10 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-14892 9.8 critical Upgrade package jackson-databind to version 2.9.10.3 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-14893 9.8 critical Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-16335 9.8 critical Upgrade package jackson-databind to version 2.9.10 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-16942 9.8 critical Upgrade package jackson-databind to version 2.9.10.1 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-16943 9.8 critical Upgrade package jackson-databind to version 2.9.10.1 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-17267 9.8 critical Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-17531 9.8 critical Upgrade package jackson-databind to version 2.9.10.1 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2019-20330 9.8 critical Upgrade package jackson-databind to version 2.9.10.2 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-10650 8.1 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-10672 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-10673 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-10968 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-10969 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-11111 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-11112 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-11113 8.8 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-11619 8.1 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-11620 8.1 high Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-14060 8.1 high Upgrade package jackson-databind to version 2.9.10.5 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-14061 8.1 high Upgrade package jackson-databind to version 2.9.10.5 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-14062 8.1 high Upgrade package jackson-databind to version 2.9.10.5 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-14195 8.1 high Upgrade package jackson-databind to version 2.9.10.5 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-24616 8.1 high Upgrade package jackson-databind to version 2.9.10.6 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-24750 8.1 high Upgrade package jackson-databind to version 2.9.10.6 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-25649 7.5 high Upgrade package jackson-databind to version 2.9.10.7 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-35490 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-35491 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-35728 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36179 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36180 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36181 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36182 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36183 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36184 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36185 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36186 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36187 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36188 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36189 8.1 high Upgrade package jackson-databind to version 2.9.10.8 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-36518 7.5 high Upgrade package jackson-databind to version 2.12.6.1 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-8840 9.8 critical Upgrade package jackson-databind to version 2.9.10.3 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-9546 9.8 critical Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-9547 9.8 critical Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2020-9548 9.8 critical Upgrade package jackson-databind to version 2.9.10.4 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2021-20190 8.1 high Upgrade package jackson-databind to version 2.9.10.7 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-42003 7.5 high Upgrade package jackson-databind to version 2.12.7.2 or above. Y aqua
omag-hms-connector jackson-databind 2.9.5 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-42004 7.5 high Upgrade package jackson-databind to version 2.12.7.1 or above. Y aqua
omag-hms-connector jettison 1.1 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-40149 7.5 high Upgrade package jettison to version 1.5.1 or above. Y aqua
omag-hms-connector jettison 1.1 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-40150 7.5 high Upgrade package jettison to version 1.5.2 or above. Y aqua
omag-hms-connector jettison 1.1 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-45685 7.5 high Upgrade package jettison to version 1.5.2 or above. Y aqua
omag-hms-connector jettison 1.1 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-45693 7.5 high Upgrade package jettison to version 1.5.2 or above. Y aqua
omag-hms-connector jettison 1.1 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2023-1436 4 medium Upgrade package jettison to version 1.5.4 or above. Y aqua
omag-hms-connector jetty-http 9.4.43.v20210629 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-2047 2.7 low Upgrade package jetty-http to version 9.4.47 or above. Y aqua-
omag-hms-connector json-smart 2.4.7 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2023-1370 7 high Upgrade package json-smart to version 2.4.9 or above. Y aqua
omag-hms-connector netty-transport-native-epoll 4.1.42.Final /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2021-21290 5.5 medium Upgrade package netty-transport-native-epoll to version 4.1.59.Final or above. Y aqua-
omag-hms-connector org.eclipse.jetty_jetty-http 9.4.43 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar CVE-2022-2047 1 low fixed in 11.0.10; 10.0.10; 9.4.47 Y twistlock-
omag-hms-connector org.eclipse.jetty_jetty-io 9.4.43 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar CVE-2022-2047 2.7 low fixed in 10.0.9; 9.4.46 Y twistlock-
omag-hms-connector org.eclipse.jetty_jetty-io 9.4.43 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar CVE-2022-2048 7.5 high fixed in 11.0.9; 10.0.9; 9.4.47 Y twistlock-
omag-hms-connector org.eclipse.jetty_jetty-server 9.4.43 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar PRISMA-2021-0182 5.5 medium fixed in 9.4.44 Y twistlock-
omag-hms-connector org.eclipse.jetty_jetty-servlet 9.4.43 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar jar PRISMA-2021-0182 5.5 medium fixed in 9.4.44 Y twistlock-
omag-hms-connector protobuf-java 2.5.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2015-5237 8.8 high Upgrade package protobuf-java to version 3.4.0 or above. Y aqua-
omag-hms-connector protobuf-java 2.5.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2021-22569 7 high Upgrade package protobuf-java to version 3.16.1 or above. Y aqua
omag-hms-connector protobuf-java 2.5.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-3171 7.5 high Upgrade package protobuf-java to version 3.16.3 or above. Y aqua
omag-hms-connector protobuf-java 2.5.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-3509 7.5 high Upgrade package protobuf-java to version 3.16.3 or above. Y aqua
omag-hms-connector protobuf-java 2.5.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-3510 7.5 high Upgrade package protobuf-java to version 3.16.3 or above. Y aqua
omag-hms-connector woodstox-core 5.3.0 /opt/ibm/omag-hms/libs/egeria-connector-hivemetastore-1.1-SNAPSHOT-jar-with-dependencies.jar java CVE-2022-40152 7.5 high Upgrade package woodstox-core to version 5.4.0 or above. Y aqua
@planetf1
Copy link
Member

planetf1 commented Apr 14, 2023
edited
Loading

Thanks - I reviewed the list above

OS dependencies
• bzip2-libs,gmp, gnupg2, gnutls is an OS dependency, so will vary according to the container you use. The official egeria images are made using a redhat maintained UBI-9 image (openjdk-17). These images do not appear to show this vulnarability, so it may be in a custom image?

Dependencies that don't match what we have from ./gradlew dependencies -q or ./gradlew dependencies -Pibmhms -q

Many of these are pinned by egeria BOM -- it's unclear why your scanner is reporting older versions. Perhaps it is following the minimum required level within the pom, and not resolving using gradle's dependency management (this would be incorrect):

• Calcite-core is not found
• jackson-databind is at 2.14.2 
• commons-codec is at 1.15
• commons-io is at 2.11.0
• guava is at 31.1-jre
• protobuf is at 3.22.2

Hadoop specific dependencies

These are pulled in via hadoop. It may be possible to pin to a later version, or in some cases excluded, but this will require more testing/investigation. The hadoop libraries are old....:

One option may be to observe class loading when the connector is in operation, using a java agent -- or debugging, and then remove any we don't need?
The 'minimize' option in the build may be useful too -- and then we'd need to add exclusions for any classes needed
We'd need to fix the bug whereby class loading errors are not detected -> #113

• jettison is at 1.1, so does have vuln. 1.5.4 is available, so could be updated if jersey-json 1.19 is ok with it. Jersey itself could be updated to 1.19.4 -- it's coming in through the hadoop dependency
• commons-net is at 3.6 (so will have the vuln) and could be -> 3.9.0
• jetty-http & other jetty components are at 9.4.43.v20210629, so does have vuln - also coming in through hadoop-common. There are much more recent versions, up to 11.0.14, but one needs to check what might work with older hadoop versions
• json-smart is 2.4.7 (via hadoop-auth). 2.4.10 is latest
• netty-transport-native-epoll is at 4.1.42.Final - and there are many later versions
• woodstox-core is at 5.3.0, so vuln - via hadoop. Many later versions are available

So in summary:

  • The OS level scans are likely specific to your image - action @ilovechai
  • The scanner appears to incorrectly analyze dependencies - can you investigate @ilovechai
  • Our hadoop connector pulls in some bad library versions. We need to look into this @davidradl @planetf1

@planetf1 planetf1 mentioned this issue Apr 14, 2023
Open
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@planetf1 @ilovechai