Druid Vulnerability Analysis

We did a vulnerability analysis on the latest verison of Druid and found the below critical vulnerability in the dependent libraries bundled with Druid. Could you please update the version of these dependencies to the latest version?

CVE Package Version Severity Status


CVE-2018-14719 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7

CVE-2017-7658 org.eclipse.jetty_jetty-io 9.4.10.v20180503 critical fixed in 9.4.11, 9.3.24

CVE-2017-7657 org.eclipse.jetty_jetty-io 9.4.10.v20180503 critical fixed in 9.4.11, 9.3.24

CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.2.3 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3

CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.2.3 critical fixed in 2.9.7

CVE-2017-5645 org.apache.logging.log4j_log4j-api 2.4 critical fixed in 2.8.2

CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3

CVE-2017-5929 ch.qos.logback_logback-core 1.1.2 critical fixed in 1.2.0

CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.4.0 critical

CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.2.3 critical

CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.7

CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.6.7 critical

CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3

CVE-2017-5645 org.apache.logging.log4j_log4j-api 2.5 critical fixed in 2.8.2

CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.4.6 critical fixed in 2.9.7

CVE-2018-19362 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8

CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.4.6 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3

CVE-2018-19361 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8

CVE-2018-19360 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8

CVE-2017-7657 org.eclipse.jetty_jetty-io 9.2.5.v20141112 critical fixed in 9.4.11, 9.3.24

CVE-2017-7658 org.eclipse.jetty_jetty-io 9.2.5.v20141112 critical fixed in 9.4.11, 9.3.24

CVE-2018-14721 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7

CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.4.6 critical

CVE-2018-14720 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7

CVE-2017-7525 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.8.9, 2.7.9.1, 2.6.7.1

CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7

CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.4.6 high fixed in 2.8.4, 2.7.8

CVE-2017-9735 org.eclipse.jetty_jetty-io 9.2.5.v20141112 high

CVE-2017-7656 org.eclipse.jetty_jetty-io 9.2.5.v20141112 high fixed in 9.4.11, 9.3.24

CVE-2015-2080 org.eclipse.jetty_jetty-http 9.2.5.v20141112 high fixed in 9.2.9,9.2

CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.4.6 high

CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.6.7 high

CVE-2016-5017 org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.5.3, 3.4.9

CVE-2017-5637 org.apache.zookeeper_zookeeper 3.4.6 high

CVE-2018-8012 org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.4.10

CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.4.0 high

CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.6.7 high fixed in 2.8.4, 2.7.8

CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.4.0 high fixed in 2.8.4, 2.7.8

CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.2.3 high fixed in 2.8.4, 2.7.8

CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.2.3 high

CVE-2017-7656 org.eclipse.jetty_jetty-io 9.4.10.v20180503 high fixed in 9.4.11, 9.3.24

CVE-2018-12545 org.eclipse.jetty_jetty-io 9.4.10.v20180503 high

Hey Divay,

Could you please raise this as an issue on github: https://github.com/apache/incubator-druid/issues

Thanks!

Hi Gian,

Thankyou for your reply. I have raised this issue on github.

Thanks and Regards

Divay Bansal