Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities in JanusGraph dependencies #4486

Open
fmulero opened this issue May 27, 2024 · 1 comment
Open

Vulnerabilities in JanusGraph dependencies #4486

fmulero opened this issue May 27, 2024 · 1 comment
Labels
kind/bug/possible

Comments

@fmulero
Copy link

fmulero commented May 27, 2024

Hello all,

Running a Trivy vulnerabilities scan through the latest release (v1.0.0) there are several issues related to the elasticsearch client for version 7. Could you confirm whether JanusGraph is affected by these vulnerabilities and if so, are there plans to update the related dependencies?

Steps to reproduce:

$ curl -LO https://github.com/JanusGraph/janusgraph/releases/download/v1.0.0/janusgraph-full-1.0.0.zip
$ unzip janusgraph-full-1.0.0.zip
$ trivy roofs janusgraph-full-1.0.0
...
│ org.elasticsearch:elasticsearch (elasticsearch-7.17.8.jar)   │ CVE-2023-31418      │ HIGH     │          │ 7.17.8            │ 7.17.13, 8.9.0                                   │ elasticsearch: uncontrolled resource consumption             │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-31418                   │
│                                                              ├─────────────────────┼──────────┤          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-31417      │ MEDIUM   │          │                   │ 7.17.13, 8.9.2                                   │ elasticsearch: Sensitive information in audit logs           │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-31417                   │
│                                                              ├─────────────────────┤          │          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-31419      │          │          │                   │ 7.17.13, 8.9.1                                   │ elasticsearch: StackOverflow vulnerability                   │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-31419                   │
│                                                              ├─────────────────────┤          │          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-46673      │          │          │                   │ 7.17.14, 8.10.3                                  │ elasticsearch: Improper Handling of Exceptional Conditions   │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-46673                   │
│                                                              ├─────────────────────┤          │          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2024-23450      │          │          │                   │ 7.17.19, 8.13.0                                  │ elasticsearch: Possible denial of service when processing    │
│                                                              │                     │          │          │                   │                                                  │ documents in a deeply nested...                              │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2024-23450                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.xerial.snappy:snappy-java (snappy-java-1.1.2.6.jar)      │ CVE-2023-34455      │ HIGH     │          │ 1.1.2.6           │ 1.1.10.1                                         │ snappy-java: Unchecked chunk length leads to DoS             │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-34455                   │
│                                                              ├─────────────────────┤          │          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-43642      │          │          │                   │ 1.1.10.4                                         │ snappy-java: Missing upper bound check on chunk length in    │
│                                                              │                     │          │          │                   │                                                  │ snappy-java can lead...                                      │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-43642                   │
│                                                              ├─────────────────────┼──────────┤          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-34453      │ MEDIUM   │          │                   │ 1.1.10.1                                         │ snappy-java: Integer overflow in shuffle leads to DoS        │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-34453                   │
│                                                              ├─────────────────────┤          │          │                   │                                                  ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-34454      │          │          │                   │                                                  │ snappy-java: Integer overflow in compress leads to DoS       │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2023-34454                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (snakeyaml-1.26.jar)                      │ CVE-2022-1471       │ HIGH     │          │ 1.26              │ 2.0                                              │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
│                                                              ├─────────────────────┤          │          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-25857      │          │          │                   │ 1.31                                             │ snakeyaml: Denial of Service due to missing nested depth     │
│                                                              │                     │          │          │                   │                                                  │ limitation for collections...                                │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-25857                   │
│                                                              ├─────────────────────┼──────────┤          │                   │                                                  ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-38749      │ MEDIUM   │          │                   │                                                  │ snakeyaml: Uncaught exception in                             │
│                                                              │                     │          │          │                   │                                                  │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode     │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-38749                   │
│                                                              ├─────────────────────┤          │          │                   │                                                  ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-38750      │          │          │                   │                                                  │ snakeyaml: Uncaught exception in                             │
│                                                              │                     │          │          │                   │                                                  │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│                                                              │                     │          │          │                   │                                                  │ ect                                                          │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-38750                   │
│                                                              ├─────────────────────┤          │          │                   │                                                  ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-38751      │          │          │                   │                                                  │ snakeyaml: Uncaught exception in                             │
│                                                              │                     │          │          │                   │                                                  │ java.base/java.util.regex.Pattern$Ques.match                 │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-38751                   │
│                                                              ├─────────────────────┤          │          │                   ├──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-38752      │          │          │                   │ 1.32                                             │ snakeyaml: Uncaught exception in                             │
│                                                              │                     │          │          │                   │                                                  │ java.base/java.util.ArrayList.hashCode                       │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-38752                   │
│                                                              ├─────────────────────┤          │          │                   │                                                  ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-41854      │          │          │                   │                                                  │ dev-java/snakeyaml: DoS via stack overflow                   │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-41854                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (elasticsearch-sql-cli-7.17.8.jar)        │ CVE-2022-1471       │ HIGH     │          │ 1.33              │ 2.0                                              │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│                                                              │                     │          │          │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
├──────────────────────────────────────────────────────────────┤                     │          │          │                   │                                                  │                                                              │
│ org.yaml:snakeyaml (snakeyaml-1.33.jar)                      │                     │          │          │                   │                                                  │                                                              │
│                                                              │                     │          │          │                   │                                                  │                                                              │

Is there any plan to update this client?
@FlorianHockmann
Copy link
Member

Looks like we currently only ship Elasticsearch in this version because we still support Java 8:

janusgraph/janusgraph-dist/pom.xml

Lines 204 to 209 in d9f89ed

<!-- ElasticSearch Server 8 doesn't support Java 8 and Java 11.
Thus, we use here the latest ElasticSearch Server which supports both Java 8 and Java 11 (which is 7.17.8 as for now).
We should probably re-think dist tests and re-develop them using docker containers instead of
relying on the JanusGraph running environment.
-->
<url>https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.8-linux-x86_64.tar.gz</url>

apart from that we are already on Elasticsearch 8.10.4:

janusgraph/pom.xml

Line 77 in d9f89ed

<elasticsearch.version>8.10.4</elasticsearch.version>

So I guess we also need to abandon Java 8 here to make any progress: #3547.

I haven't looked into the vulnerabilities themselves though so I can't say whether we are affected by them at all or not.

However, this is only a problem if you're using the full distribution which comes with a complete installation of Elasticsearch & Cassandra. We mostly see this as a distribution to get users quickly up to speed with JanusGraph. For production use cases, especially if security is important, then I'd recommend to use the default distribution (janusgraph-1.0.0.zip) and to deploy your own installation of Cassandra & Elasticsearch. That also enables you to deploy these backends in a more recent version.

And in general, we are of course eager to keep our dependencies up-to-date. We are using Dependabot for example to automatically get PRs for dependency updates and we are also using Trivy scans as part of our CI pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug/possible
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FlorianHockmann @fmulero