Upgrade vulnerable version of reload4j and aws-java-sdk dependencies #24606
Conversation
ShahimSharafudeen
force-pushed
the
prestodb_forwardfit_CVE_fix_ion-java
branch
from
70da419 to
ca2dee0
Compare
Upgrade the aws-java-sdk version to 1.12.640 to fix the ion-java vulnerability Upgrade the reload4j version to 1.2.22 to fix the vulnerability
ShahimSharafudeen
force-pushed
the
prestodb_forwardfit_CVE_fix_ion-java
branch
from
ca2dee0 to
46e1d2a
Compare
|
Thanks for the release note entry! Suggest linking to the relevant CVEs. See Phrasing in the Release Notes Guidelines for an example. |
Thanks, @steveburnett for your feedback. I have updated the release note based on your suggestions. |
Thanks for updating the release note entry! Sorry about making a mistake in my suggested draft - could you fix my typo in the second line? "Upgrad reload4j" should be "Upgrade reload4j". |
| @@ -48,7 +48,7 @@ | |||
| <dep.packaging.version>${dep.airlift.version}</dep.packaging.version> | |||
| <dep.slice.version>0.38</dep.slice.version> | |||
| <dep.testing-mysql-server-5.version>0.6</dep.testing-mysql-server-5.version> | |||
| <dep.aws-sdk.version>1.12.560</dep.aws-sdk.version> | |||
| <dep.aws-sdk.version>1.12.640</dep.aws-sdk.version> | |||
There was a problem hiding this comment.
@ShahimSharafudeen Looks like even version 1.12.640 has CVEs for artifact aws-java-sdk-core that uses this SDK version in Presto.
https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-core/1.12.640 (But it looks like those CVEs are in test dependencies)
Other 2 AWS artifact aws-java-sdk-glue & aws-java-sdk-s3 are CVEs free even with existing aws version 1.12.560
There was a problem hiding this comment.
@agrawalreetika - If we check version 1.12.560, we can see that an ion-java vulnerability exists there. In version 1.12.640, it was resolved and has no vulnerabilities. So, we used the resolved version here.
There was a problem hiding this comment.
We should just upgrade to the latest version (1.12.782) to ensure it solves as many CVEs as possible.
| @@ -16,7 +16,7 @@ | |||
| <air.main.basedir>${project.parent.basedir}</air.main.basedir> | |||
| <dep.accumulo.version>1.10.1</dep.accumulo.version> | |||
| <dep.curator.version>2.12.0</dep.curator.version> | |||
| <dep.reload4j.version>1.2.18.3</dep.reload4j.version> | |||
| <dep.reload4j.version>1.2.22</dep.reload4j.version> | |||
There was a problem hiding this comment.
Why this upgrade? I see exsiting and new both the version has CVEs coming from test dependencies-
https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.18.3
https://mvnrepository.com/artifact/ch.qos.reload4j/reload4j/1.2.22
I don't see that's resolved even on latest version.
There was a problem hiding this comment.
@agrawalreetika - Regarding the reload4j dependency, we can see a vulnerability identified by the Mend tool scan (OSS Scan - WS-2022-0467), which is also described in the PR description. The fix is only available in reload4j version 1.2.22
There was a problem hiding this comment.
We should just upgrade to the latest (1.2.26) if it does actually resolve a CVE. However, as Reetika pointed out, the mvnrepository link shows the CVE has not been resolved in any new version.
@ShahimSharafudeen can you link to the specific CVE the scan was reporting. The github issue linked has no attached CVE.
| <artifactId>duplicate-finder-maven-plugin</artifactId> | ||
| <configuration> | ||
| <ignoredResourcePatterns> | ||
| <ignoredResourcePattern>org/apache/log4j/xml/log4j.dtd</ignoredResourcePattern> | ||
| </ignoredResourcePatterns> | ||
| <ignoredClassPatterns> | ||
| <ignoredClassPattern>org.apache.log4j.*</ignoredClassPattern> | ||
| </ignoredClassPatterns> |
There was a problem hiding this comment.
We should not be ignoring duplicates. The duplicates need to be handled by excluding the dependencies
| @@ -16,7 +16,7 @@ | |||
| <air.main.basedir>${project.parent.basedir}</air.main.basedir> | |||
| <dep.accumulo.version>1.10.1</dep.accumulo.version> | |||
| <dep.curator.version>2.12.0</dep.curator.version> | |||
| <dep.reload4j.version>1.2.18.3</dep.reload4j.version> | |||
| <dep.reload4j.version>1.2.22</dep.reload4j.version> | |||
There was a problem hiding this comment.
We should just upgrade to the latest (1.2.26) if it does actually resolve a CVE. However, as Reetika pointed out, the mvnrepository link shows the CVE has not been resolved in any new version.
@ShahimSharafudeen can you link to the specific CVE the scan was reporting. The github issue linked has no attached CVE.
| @@ -48,7 +48,7 @@ | |||
| <dep.packaging.version>${dep.airlift.version}</dep.packaging.version> | |||
| <dep.slice.version>0.38</dep.slice.version> | |||
| <dep.testing-mysql-server-5.version>0.6</dep.testing-mysql-server-5.version> | |||
| <dep.aws-sdk.version>1.12.560</dep.aws-sdk.version> | |||
| <dep.aws-sdk.version>1.12.640</dep.aws-sdk.version> | |||
There was a problem hiding this comment.
We should just upgrade to the latest version (1.12.782) to ensure it solves as many CVEs as possible.
Description
Log4j was removed from the reload4j version 1.2.18.4. Therefore, if we upgrade this dependency, it will cause a Cannot instantiate class TestNGException in the Presto-accum module test classes. To resolve this issue, we are adding the latest version of the Apache Log4j 1.x Compatibility API.
Motivation and Context
To resolve the vulnerability issues on the aws-java-sdk and reload4j dependencies.
Impact
Test Plan
Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.