Security vulnerabilities in Dremio 25.X

abkul · July 15, 2024, 6:54am

Hi Team, In our security scan on Dremio 25.X version, we found vulnerabilities in the following 3rd party jars as they are not updated to latest safe versions.

dremio-twill-shaded
org.elasticsearch:elasticsearch
com.google.protobuf:protobuf-java
org.codehaus.janino:janino
javax.el-3.0.1-b11
jetty-http
jetty-server
jetty-servlets
jetty-util
json-smart
libthrift
netty-3.10.6.Final-nohttp
netty-handler-4.1.68.Final
parquet-jackson
pf4j
postgresql
woodstox-core
zookeeper

Can you please let us know if the vulnerabilities are applicable? if yes, any plans to fix them

balaji.ramaswamy · July 22, 2024, 4:19am

@abkul

We take security issues seriously here. Security | Dremio has some more information about our approach. In general, we resolve exploitable security issues within our internal security SLAs based on severity while also aiming to update other packages with vulnerabilities (that aren’t exploitable) up to date. We do our best to document package changes in the release notes as well. You can see some of the updates made in 25.0.0 and subsequent releases on the website here .

Topic		Replies	Views
Vulnerable 3rd party jars found in dremio 24.2.6	1	301	January 18, 2024
Security vulnerability in dremio 25.1.0	3	72	October 8, 2024
Vulnerable 3rd party components found in docker Image: dremio:24.0	2	623	August 8, 2023
Security vulnerabilities on dremio/dremio-oss image	4	1905	December 17, 2021
Multiple CVEs in Dremio OSS dependencies	0	9	October 14, 2024

Security vulnerabilities in Dremio 25.X

Related Topics