Multiple CVEs in Dremio OSS dependencies

1

Hi team,

When building Dremio OSS and scanning the build directory for vulnerabilities, we can see that there are many CRITICAL/HIGH vulnerabilities affecting the dependencies included in the application. Most of these vulnerabilities affect the dremio-hive2-exec-shaded and dremio-hive2-plugin packages

┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬──────────┬─────────────────────────────────────────┬─────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                            │    Vulnerability    │ Severity │  Status  │            Installed Version            │                  Fixed Version                  │                            Title                             │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼─────────────────────────────────────────┼─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind                  │ CVE-2017-15095      │ CRITICAL │ fixed    │ 2.6.3                                   │ 2.8.11, 2.9.4, 2.6.7.3, 2.7.9.2                 │ jackson-databind: Unsafe deserialization due to incomplete   │
│ (dremio-hive2-exec-shaded-25.1.0-202409042012430619-15cc647- │                     │          │          │                                         │                                                 │ black list (incomplete fix for CVE-2017-7525)...             │
│ 1.jar)                                                       │                     │          │          │                                         │                                                 │ https://avd.aquasec.com/nvd/cve-2017-15095                   │
├──────────────────────────────────────────────────────────────┤                     │          │          │                                         │                                                 │                                                              │
│ com.fasterxml.jackson.core:jackson-databind                  │                     │          │          │                                         │                                                 │                                                              │
│ (dremio-hive2-plugin-25.1.0-202409042012430619-15cc6471.jar) │                     │          │          │                                         │                                                 │                                                              │
│                                                              │                     │          │          │                                         │                                                 │                                                              │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          │          │                                         ├─────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind                  │ CVE-2017-17485      │          │          │                                         │ 2.9.4, 2.8.11, 2.7.9.2                          │ jackson-databind: Unsafe deserialization due to incomplete   │
│ (dremio-hive2-exec-shaded-25.1.0-202409042012430619-15cc647- │                     │          │          │                                         │                                                 │ black list (incomplete fix for CVE-2017-15095)...            │
│ 1.jar)                                                       │                     │          │          │                                         │                                                 │ https://avd.aquasec.com/nvd/cve-2017-17485                   │
├──────────────────────────────────────────────────────────────┤                     │          │          │                                         │                                                 │                                                              │
│ com.fasterxml.jackson.core:jackson-databind                  │                     │          │          │                                         │                                                 │                                                              │
│ (dremio-hive2-plugin-25.1.0-202409042012430619-15cc6471.jar) │                     │          │          │                                         │                                                 │                                                              │
│                                                              │                     │          │          │                                         │                                                 │                                                              │
...

The full list of vulnerabilities we found is this one:

  • CVE-2019-20444
  • CVE-2022-39135
  • CVE-2020-7774
  • CVE-2023-45133
  • CVE-2024-47561
  • CVE-2017-7525
  • CVE-2018-11307
  • CVE-2018-14718
  • CVE-2018-14719
  • CVE-2018-19362
  • CVE-2019-16335
  • CVE-2019-20330
  • CVE-2017-17485
  • CVE-2019-14540
  • CVE-2019-17267
  • CVE-2019-17531
  • CVE-2020-8840
  • CVE-2020-9547
  • CVE-2020-9548
  • CVE-2021-3918
  • CVE-2023-26136
  • CVE-2022-37601
  • CVE-2022-37611
  • CVE-2019-16943
  • CVE-2021-23436
  • CVE-2022-26612
  • CVE-2022-25168
  • CVE-2023-42282
  • CVE-2021-42740
  • CVE-2019-20445
  • CVE-2021-28860
  • CVE-2019-14892
  • CVE-2024-1597
  • CVE-2021-23358
  • CVE-2021-44906
  • CVE-2020-7788
  • CVE-2019-14379
  • CVE-2022-39353
  • CVE-2021-37404
  • CVE-2017-15095
  • CVE-2019-16942
  • CVE-2021-3757
  • CVE-2018-7489

Could you confirm whether Dremio OSS is affected by these vulnerabilities and if so, are there plans to update the related dependencies?

Steps to reproduce

  • Build Dremio OSS locally
  • Run trivy using the build folder
2

We take security issues seriously here. Security | Dremio has some more information about our approach. In general, we resolve exploitable security issues within our internal security SLAs based on severity while also aiming to update other packages with vulnerabilities (that aren’t exploitable) up to date. We document package changes in the release notes as well.