stackabletech · razvan · Jan 28, 2025 · Nov 14, 2024 · Nov 15, 2024 · Nov 15, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -70,6 +70,7 @@ All notable changes to this project will be documented in this file.
 - nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
 - hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]).
 - druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]).
+- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -119,6 +120,7 @@ All notable changes to this project will be documented in this file.
 [#924]: https://github.com/stackabletech/docker-images/pull/924
 [#925]: https://github.com/stackabletech/docker-images/pull/925
 [#926]: https://github.com/stackabletech/docker-images/pull/926
+[#935]: https://github.com/stackabletech/docker-images/pull/935
 
 ## [24.7.0] - 2024-07-24
 

diff --git a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch
@@ -2,15 +2,21 @@ Include Prometheus emitter in distribution
 
 From: Lars Francke <[email protected]>
 
+Update 2024-11-14: fix CVE-2023-34455
 
----
- 0 files changed
+See: https://github.com/stackabletech/vulnerabilities/issues/558
+
+The Prometheus installation brings in a set of redundand dependendencies including the vulnerable
+snappy-java library. Updated versions of this libary are already present in the classpath.
+Therefore, we explicitely remove the affected jars as it it is recommended by the Druid authors here:
+
+https://github.com/apache/druid/blob/09d36ee324747f1407705c27618b6d415c3fa8a9/services/src/main/java/org/apache/druid/cli/PullDependencies.java#L90
 
 diff --git a/distribution/pom.xml b/distribution/pom.xml
-index d7cd645767..eda1ddcfab 100644
+index e27329e96d..ea79123ab3 100644
 --- a/distribution/pom.xml
 +++ b/distribution/pom.xml
-@@ -464,6 +464,52 @@
+@@ -464,6 +464,66 @@
                  </plugins>
              </build>
          </profile>
@@ -55,6 +61,20 @@ index d7cd645767..eda1ddcfab 100644
 +                                    </arguments>
 +                                </configuration>
 +                            </execution>
++                            <execution>
++                                <id>fix-cve-2023-34455-remove-snappy</id>
++                                <phase>package</phase>
++                                <goals>
++                                    <goal>exec</goal>
++                                </goals>
++                                <configuration>
++                                    <executable>rm</executable>
++                                    <arguments>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                    </arguments>
++                                </configuration>
++                            </execution>
 +                        </executions>
 +                    </plugin>
 +                </plugins>