Fix CVEs (#224)

* Dep upgrades * Upgrade netty * Upgrade netty * Exclude janino * Try to pin janino * Pin janino version for spark 3.3.x * Move janino pin * Update PK * Exclude log4j-impl (only in spark 3.3) * Changes
exasol · May 14, 2024 · 8503c83 · 8503c83
1 parent 4d09214
commit 8503c83
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 2 deletions.
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_2.1.7.md b/doc/changes/changes_2.1.7.md
@@ -0,0 +1,26 @@
+# Spark Connector 2.1.7, released 2024-05-14
+
+Code name: Fix CVEs in runtime dependencies
+
+## Summary
+This release fixes the following vulnerabilities in dependencies:
+CVE-2024-29131 & CVE-2024-29133 in org.apache.commons:commons-configuration2:jar:2.8.0:provided
+
+## Features
+
+* #224: CVE-2024-29131 & CVE-2024-29133 in org.apache.commons:commons-configuration2:jar:2.8.0:provided
+* Fix issues in spark 3.3 dependencies caused by spark-connector-common-java upgrade
+
+## Dependency Updates
+
+### Spark Exasol Connector With JDBC
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:spark-connector-common-java:2.0.1` to `2.0.5`
+
+### Spark Exasol Connector With S3
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:spark-connector-common-java:2.0.1` to `2.0.5`
diff --git a/exasol-jdbc/pom.xml b/exasol-jdbc/pom.xml
@@ -52,8 +52,10 @@
             <artifactId>guava</artifactId>
         </dependency>
         <dependency>
+            <!-- Upgrade transitive dependency of  org.apache.hadoop:hadoop-client:jar:3.3.6 to fix CVE-2024-29025 -->
             <groupId>io.netty</groupId>
             <artifactId>netty-all</artifactId>
+            <version>4.1.109.Final</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>

diff --git a/exasol-s3/pom.xml b/exasol-s3/pom.xml
@@ -35,8 +35,10 @@
             <artifactId>hadoop-client</artifactId>
         </dependency>
         <dependency>
+            <!-- Upgrade transitive dependency of  org.apache.hadoop:hadoop-client:jar:3.3.6 to fix CVE-2024-29025 -->
             <groupId>io.netty</groupId>
             <artifactId>netty-all</artifactId>
+            <version>4.1.109.Final</version>
         </dependency>
         <dependency>
             <groupId>software.amazon.awssdk</groupId>

diff --git a/parent-pom/pom.xml b/parent-pom/pom.xml
@@ -15,7 +15,7 @@
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
     <properties>
-        <revision>2.1.6</revision>
+        <revision>2.1.7</revision>
         <java.version>8</java.version>
         <log4j.version>2.20.0</log4j.version>
         <junit.version>5.10.0</junit.version>
@@ -47,7 +47,7 @@
             <dependency>
                 <groupId>com.exasol</groupId>
                 <artifactId>spark-connector-common-java</artifactId>
-                <version>2.0.1</version>
+                <version>2.0.5</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.spark</groupId>
@@ -79,6 +79,10 @@
                         <groupId>log4j</groupId>
                         <artifactId>log4j</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-slf4j-impl</artifactId>
+                    </exclusion>
                     <exclusion>
                         <groupId>io.netty</groupId>
                         <artifactId>netty</artifactId>
@@ -216,6 +220,18 @@
                 <version>${jackson.version}</version>
                 <scope>provided</scope>
             </dependency>
+            <dependency>
+                <groupId>org.codehaus.janino</groupId>
+                <artifactId>janino</artifactId>
+                <version>${janino.version}</version>
+                <scope>provided</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.codehaus.janino</groupId>
+                <artifactId>commons-compiler</artifactId>
+                <version>${janino.version}</version>
+                <scope>provided</scope>
+            </dependency>
             <dependency>
                 <!-- Pinned to fix CVE-2023-52428 -->
                 <groupId>com.nimbusds</groupId>
@@ -321,6 +337,12 @@
                 <artifactId>commons-compress</artifactId>
                 <version>1.26.0</version>
             </dependency>
+            <dependency>
+                <!-- Upgrade transitive dependency of  org.apache.hadoop:hadoop-client:jar:3.3.6 to fix CVE-2024-29131 & CVE-2024-29133 -->
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-configuration2</artifactId>
+                <version>2.10.1</version>
+            </dependency>
             <dependency>
                 <!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-common to fix CVE-2023-39410 -->
                 <groupId>org.apache.avro</groupId>
@@ -516,6 +538,8 @@
                 <scala.compat.version>2.13</scala.compat.version>
                 <hadoop.version>3.3.6</hadoop.version>
                 <jackson.version>2.15.4</jackson.version>
+                <!-- spark-catalyst 3.3.x depends on old Codehaus Janino version, so we need explicit pin -->
+                <janino.version>3.1.12</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -534,6 +558,8 @@
                 <scala.compat.version>2.13</scala.compat.version>
                 <hadoop.version>3.3.6</hadoop.version>
                 <jackson.version>2.14.2</jackson.version>
+                <!-- spark-catalyst 3.3.x depends on old Codehaus Janino version, so we need explicit pin -->
+                <janino.version>3.1.12</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -549,6 +575,7 @@
                 <scala.compat.version>2.12</scala.compat.version>
                 <hadoop.version>3.3.4</hadoop.version>
                 <jackson.version>2.14.2</jackson.version>
+                <janino.version>3.1.12</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -568,6 +595,8 @@
                     Scala module 2.13.4 requires Jackson Databind version >= 2.13.0 and < 2.14.0
                 -->
                 <jackson.version>2.13.4.2</jackson.version>
+                <!-- spark-catalyst 3.3.x depends on old Codehaus Janino version -->
+                <janino.version>3.0.16</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -582,6 +611,7 @@
                 <scala.compat.version>2.12</scala.compat.version>
                 <hadoop.version>3.3.2</hadoop.version>
                 <jackson.version>2.13.4.2</jackson.version>
+                <janino.version>3.0.16</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>

diff --git a/pom.xml b/pom.xml
@@ -61,6 +61,7 @@
                 <scala.compat.version>2.12</scala.compat.version>
                 <jackson.version>2.13.4.2</jackson.version>
                 <jersey.version>3.1.1</jersey.version>
+                <janino.version>3.0.16</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -78,6 +79,7 @@
                 -->
                 <jackson.version>2.13.4.2</jackson.version>
                 <jersey.version>3.1.1</jersey.version>
+                <janino.version>3.0.16</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -94,6 +96,7 @@
                 <scala.compat.version>2.13</scala.compat.version>
                 <jackson.version>2.14.2</jackson.version>
                 <jersey.version>3.1.2</jersey.version>
+                <janino.version>3.1.12</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>
@@ -111,6 +114,7 @@
                 <scala.compat.version>2.13</scala.compat.version>
                 <jackson.version>2.15.4</jackson.version>
                 <jersey.version>3.1.2</jersey.version>
+                <janino.version>3.1.12</janino.version>
             </properties>
             <modules>
                 <module>exasol-jdbc</module>