fix(druid): CVE-2023-34455 (#935)

razvan · web-flow · commit 82591c617f11 · 2025-01-28T16:29:59.000Z
* fix(druid): CVE-2023-34455 * add doc to patch file * update changelog * fix markdown lint * revert prometheus patch from main * added new patch file * fix copy&paste * put the execution in the "dist" profile
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]).
 - hadoop: Fix the JMX exporter configuration for metrics suffixed with
   `_total`, `_info` and `_created` ([#962]).
 
@@ -31,6 +32,7 @@ All notable changes to this project will be documented in this file.
 [#943]: https://github.com/stackabletech/docker-images/pull/943
 [#958]: https://github.com/stackabletech/docker-images/pull/958
 [#959]: https://github.com/stackabletech/docker-images/pull/959
+[#935]: https://github.com/stackabletech/docker-images/pull/935
 [#962]: https://github.com/stackabletech/docker-images/pull/962
 [#980]: https://github.com/stackabletech/docker-images/pull/980
 [#981]: https://github.com/stackabletech/docker-images/pull/981
diff --git a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch
@@ -0,0 +1,36 @@
+Fix CVE-2023-34455
+see https://github.com/stackabletech/vulnerabilities/issues/558
+
+At the end of build process, Druid downloads dependencies directly from a remote
+Maven repository ignoring existing patches that have been applyed locally.
+These dependencies include all transitive dependencies too.
+The hadoop client depends on a vulnerable version of the snappy library which
+is then also downloaded even though a newer version is already on the system.
+
+This patch removes the vulnerable jars.
+
+diff --git a/distribution/pom.xml b/distribution/pom.xml
+index d5918710ef..2d5bfc6ab4 100644
+--- a/distribution/pom.xml
++++ b/distribution/pom.xml
+@@ -259,6 +259,20 @@
+                                     </arguments>
+                                 </configuration>
+                             </execution>
++                            <execution>
++                                <id>fix-cve-2023-34455-remove-snappy</id>
++                                <phase>package</phase>
++                                <goals>
++                                    <goal>exec</goal>
++                                </goals>
++                                <configuration>
++                                  <executable>/usr/bin/rm</executable>
++                                    <arguments>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                    </arguments>
++                                </configuration>
++                            </execution>
+                         </executions>
+                     </plugin>
+                     <plugin>
