Skip to content

fix(druid): CVE-2023-34455 #935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jan 28, 2025
Merged

fix(druid): CVE-2023-34455 #935

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
6ce1b08
fix(druid): CVE-2023-34455
razvan Nov 14, 2024
436d818
add doc to patch file
razvan Nov 15, 2024
392a47c
update changelog
razvan Nov 15, 2024
abf44bf
Merge branch 'main' into fix/druid/cve-2023-34455
razvan Dec 16, 2024
164896c
Merge branch 'main' into fix/druid/cve-2023-34455
razvan Dec 16, 2024
0607a32
Merge branch 'main' into fix/druid/cve-2023-34455
razvan Dec 18, 2024
d38d95e
Merge branch 'main' into fix/druid/cve-2023-34455
razvan Jan 28, 2025
1fae9a4
fix markdown lint
razvan Jan 28, 2025
f0d296c
revert prometheus patch from main
razvan Jan 28, 2025
cf78ac9
added new patch file
razvan Jan 28, 2025
53b6e9d
fix copy&paste
razvan Jan 28, 2025
18e2c1a
put the execution in the "dist" profile
razvan Jan 28, 2025
1252a3d
Merge branch 'main' into fix/druid/cve-2023-34455
razvan Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ All notable changes to this project will be documented in this file.

### Fixed

- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]).
- hadoop: Fix the JMX exporter configuration for metrics suffixed with
`_total`, `_info` and `_created` ([#962]).

Expand All @@ -31,6 +32,7 @@ All notable changes to this project will be documented in this file.
[#943]: https://github.com/stackabletech/docker-images/pull/943
[#958]: https://github.com/stackabletech/docker-images/pull/958
[#959]: https://github.com/stackabletech/docker-images/pull/959
[#935]: https://github.com/stackabletech/docker-images/pull/935
[#962]: https://github.com/stackabletech/docker-images/pull/962
[#980]: https://github.com/stackabletech/docker-images/pull/980
[#981]: https://github.com/stackabletech/docker-images/pull/981
Expand Down
36 changes: 36 additions & 0 deletions druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
Fix CVE-2023-34455
see https://github.com/stackabletech/vulnerabilities/issues/558

At the end of build process, Druid downloads dependencies directly from a remote
Maven repository ignoring existing patches that have been applyed locally.
These dependencies include all transitive dependencies too.
The hadoop client depends on a vulnerable version of the snappy library which
is then also downloaded even though a newer version is already on the system.

This patch removes the vulnerable jars.

diff --git a/distribution/pom.xml b/distribution/pom.xml
index d5918710ef..2d5bfc6ab4 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -259,6 +259,20 @@
</arguments>
</configuration>
</execution>
+ <execution>
+ <id>fix-cve-2023-34455-remove-snappy</id>
+ <phase>package</phase>
+ <goals>
+ <goal>exec</goal>
+ </goals>
+ <configuration>
+ <executable>/usr/bin/rm</executable>
+ <arguments>
+ <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
+ <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
+ </arguments>
+ </configuration>
+ </execution>
</executions>
</plugin>
<plugin>