acryldata/datahub-actions

datahub-actions container has 4 MAVEN type critical vulnerabilities

justmike1 opened this issue · 8 comments

Describe the issue

I want to use datahub for my platform but datahub-actions container has 4 critical vulnerabilities, I would like if you could address them and hopefully hotfix.

Note: CVE-2022-25168
Package: org.apache.hadoop:hadoop-common
Package Type: MAVEN
Affected Version: 3.2.0
Fixed Version: 3.2.4

Note: CVE-2022-37865
Package: org.apache.ivy:ivy
Package Type: MAVEN
Affected Version: 2.4.0
Fixed Version: 2.5.1

Note: CVE-2019-0204
Package: org.apache.mesos:mesos
Package Type: MAVEN
Affected Version: 1.4.0
Fixed Version: 1.4.3

Note: CVE-2021-33036
Package: org.apache.hadoop:hadoop-yarn-server-common
Package Type: MAVEN
Affected Version: 3.2.0
Fixed Version: 3.2.3

Additional Info

acryldata/datahub-postgres-setup has:
Note: CVE-2023-23914
Package: curl
Package Type: OS
Affected Version: 7.87.0 r1
Fixed Version: 7.87.0 r2

Note: CVE-2023-27536
Package: curl
Package Type: OS
Affected Version: 7.87.0 r1
Fixed Version: 7.88.1 r1"

acryldata/datahub-kafka-setup has:
Note: CVE-2022-1471
Package: org.yaml:snakeyaml
Package Type: MAVEN
Affected Version: 1.32
Fixed Version: 2.0

where do I report those?
using latest versions for datahub actions (v0.0.12)
using latest versions for setup jobs (v0.10.2)

@justmike1 have you looked at the acryldata/datahub-actions-slim image?

I believe @RyanHolstien has been looking into the snakeyaml ones.

@hsheth2 I wasn't aware of it, can you link/describe for me what's the difference? Are there more variations?

The slim image excludes Spark which should remove some of the Apache library vulns, I believe the ones listed here are covered. I took care of SnakeYaml on the GMS side, Kevin took care of the SnakeYaml one in kafka setup with: https://github.com/datahub-project/datahub/pull/7795/files

10 hours ago acryldata/datahub-postgres-setup and acryldata/datahub-kafka-setup been updated on the same v0.10.2 tag, currently testing them, also changed datahub-actions to datahub-actions-slim will update

acryldata/datahub-kafka-setup still has:

  Note: CVE-2022-1471
  Package: org.yaml:snakeyaml
  Package Type: MAVEN
  Affected Version: 1.32
  Fixed Version: 2.0"

acryl-datahub-actions-slim still has:

  Note: CVE-2023-24538
  Package: go
  Package Type: GO_STDLIB
  Affected Version: 1.20.2
  Fixed Version: 1.20.3
  Note: CVE-2022-37865
  Package: org.apache.ivy:ivy
  Package Type: MAVEN
  Affected Version: 2.4.0
  Fixed Version: 2.5.1
  Note: CVE-2022-25168
  Package: org.apache.hadoop:hadoop-common
  Package Type: MAVEN
  Affected Version: 3.2.0
  Fixed Version: 3.2.4
  Note: CVE-2021-33036
  Package: org.apache.hadoop:hadoop-yarn-server-common
  Package Type: MAVEN
  Affected Version: 3.2.0
  Fixed Version: 3.2.3
  Note: CVE-2019-0204
  Package: org.apache.mesos:mesos
  Package Type: MAVEN
  Affected Version: 1.4.0
  Fixed Version: 1.4.3

@RyanHolstien @hsheth2

I have seen that datahub-ingestion-base got an update, maybe it fixed some or hopefully all of datahub-actions CVEs? Maybe should datahub-actions release a new ver every new prod build of datahub-ingestion-base

This issue is stale because it has been open for 30 days with no activity. If you believe this is still an issue on the latest DataHub release please leave a comment with the version that you tested it with. If this is a question/discussion please head to https://slack.datahubproject.io. For feature requests please use https://feature-requests.datahubproject.io

This issue was closed because it has been inactive for 30 days since being marked as stale.