Dependency org.apache.zookeeper:zookeeper, leading to CVE problem

Question

Dependency org.apache.zookeeper:zookeeper, leading to CVE problem

Closed this issue 3 years ago · 3 comments

Hi, In tbschedule-3.4.1/tbschedule-core，there is a dependency org.apache.zookeeper:zookeeper:3.4.6 that calls the risk method.

CVE-2019-0201

The scope of this CVE affected version is [,3.4.14),[3.5.0-alpha, 3.5.5)

After further analysis, in this project, the main Api called is <org.apache.zookeeper.server.FinalRequestProcessor: void processRequest(org.apache.zookeeper.server.Request)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

<org.apache.zookeeper.server.FinalRequestProcessor: void processRequest(org.apache.zookeeper.server.Request)>
at <org.apache.zookeeper.server.quorum.CommitProcessor: void run()> (org.apache.zookeeper.server.quorum.CommitProcessor.java:[74]) in /.m2/repository/org/apache/zookeeper/zookeeper/3.4.6/zookeeper-3.4.6.jar
at <com.taobao.pamirs.schedule.taskmanager.TBScheduleProcessorNotSleep: void startThread(int)> (com.taobao.pamirs.schedule.taskmanager.TBScheduleProcessorNotSleep.java:[119]) in /detect/unzip/tbschedule-3.4.1/tbschedule-core/target/classes
at <com.taobao.pamirs.schedule.taskmanager.TBScheduleProcessorNotSleep: void <init>(com.taobao.pamirs.schedule.taskmanager.TBScheduleManager,com.taobao.pamirs.schedule.IScheduleTaskDeal,com.taobao.pamirs.schedule.taskmanager.StatisticsInfo)> (com.taobao.pamirs.schedule.taskmanager.TBScheduleProcessorNotSleep.java:[97]) in /detect/unzip/tbschedule-3.4.1/tbschedule-core/target/classes

Dependency tree--

[INFO] com.taobao.pamirs.schedule:tbschedule-core:jar:3.4.1
[INFO] +- org.springframework:spring-context:jar:4.1.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.1.1.RELEASE:compile
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.1.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.1.1.RELEASE:compile
[INFO] |  |  \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.1.1.RELEASE:compile
[INFO] +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- com.google.code.gson:gson:jar:2.1:compile
[INFO] +- org.apache.zookeeper:zookeeper:jar:3.4.6:compile
[INFO] |  +- log4j:log4j:jar:1.2.16:compile
[INFO] |  +- jline:jline:jar:0.9.94:compile
[INFO] |  \- io.netty:netty:jar:3.7.0.Final:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.6.1:compile
[INFO] \- org.projectlombok:lombok:jar:1.16.16:compile

Suggested solutions:

Update dependency version

Thank you very much.

Answer 1 · 2021-09-07T17:20:21.000Z

@nmyphp
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.

Answer 2 · 2021-11-26T02:27:45.000Z

May I pull a request to fix it?

Yes, You can.

Answer 3 · 2021-11-26T02:32:24.000Z

Upgraded zookeeper to 3.4.14.