CVE-2024-53990: AsyncHttpClient

1

Dremio seems affected by this critical vulnerability CVE-2024-53990:

$ trivy image  -q --vuln-type library -s CRITICAL dremio/dremio-oss

Java (jar)

Total: 4 (CRITICAL: 4)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │         Installed Version          │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.avro:avro                                         │ CVE-2024-47561 │ CRITICAL │ fixed  │ 1.11.3                             │ 1.11.4        │ Apache Avro Java SDK: Arbitrary Code Execution when reading │
│ (dremio-hive3-exec-shaded-25.2.0-202410241428100111-a963b97- │                │          │        │                                    │               │ Avro Data (Java...                                          │
│ 0.jar)                                                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2024-47561                  │
├──────────────────────────────────────────────────────────────┤                │          │        │                                    │               │                                                             │
│ org.apache.avro:avro                                         │                │          │        │                                    │               │                                                             │
│ (dremio-ce-hive3-plugin-25.2.0-202410241428100111-a963b970.- │                │          │        │                                    │               │                                                             │
│ jar)                                                         │                │          │        │                                    │               │                                                             │
├──────────────────────────────────────────────────────────────┼────────────────┤          │        ├────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.calcite:calcite-core                              │ CVE-2022-39135 │          │        │ 1.21.0-202408272207160933-20207fef │ 1.32.0        │ calcite: XXE via SQL operators                              │
│ (calcite-core-1.21.0-202408272207160933-20207fef.jar)        │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-39135                  │
├──────────────────────────────────────────────────────────────┼────────────────┤          │        ├────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.asynchttpclient:async-http-client                        │ CVE-2024-53990 │          │        │ 2.7.0                              │ 2.12.4, 3.0.1 │ The AsyncHttpClient (AHC) library allows Java applications  │
│ (async-http-client-2.7.0.jar)                                │                │          │        │                                    │               │ to easily e ...                                             │
│                                                              │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2024-53990                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

The class AsyncHttpClientProvider uses the default cookieStore which is affected.

Do you have any information/statement about this CVE? Do you have any plan to upgrade the affected libraries?

2

We take security issues seriously here. Security | Dremio has some more information about our approach. In general, we resolve exploitable security issues within our internal security SLAs based on severity while also aiming to update other packages with vulnerabilities (that aren’t exploitable) up to date. We do our best to document package changes in the release notes as well. You can see some of the updates made in 25.0.0 and subsequent releases on the website here.