Vulnerable 3rd party components found in docker Image: dremio:24.0

1

Hi Team,
We have found a few vulnerable 3rd party components in docker Image: dremio:24.0. Is there any timeline for when we can have the updated jars in the image?

Below is the list of jars that we have found to be vulnerable.

  1. Jackson-databind fixed in 2.15.1 or above
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/dremio-hive2-exec-shaded-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/parquet-jackson-1.12.0-202210150148350243-15cbcc2.jar
    /opt/dremio/jars/3rdparty/jackson-databind-2.13.2.2.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-42003
CVSS Base Score: 7.5 High

  1. netty-all 4.1.34.Final fixed in 4.1.93.Final
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar

https://nvd.nist.gov/vuln/detail/CVE-2019-20445
CVSS Base Score: 9.1 Critical

  1. netty 3.10.6.Final fixed in netty-all 4.1.93.Final
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/netty-3.10.6.Final-nohttp.jar

https://nvd.nist.gov/vuln/detail/CVE-2019-20445
CVSS Base Score: 9.1 Critical

  1. netty-codec 4.1.52.Final fixed in 4.1.93.Final
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/gcs-connector-hadoop3-2.2.2-dremio-202208181741250538-215a1b7-shaded.jar

https://nvd.nist.gov/vuln/detail/CVE-2021-37137
CVSS Base Score: 7.5 High

  1. hadoop-common(2.8.5 and 3.3.2) fixed in 3.3.5
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/hadoop-common-3.3.2-dremio-202207041927090255-61c2bd1.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-26612
CVSS Base Score: 9.8 Critical

  1. snakeyaml 1.31 fixed in 2.0 or above
    /opt/dremio/jars/3rdparty/snakeyaml-1.31.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-1471
CVSS Base Score: 9.8 Critical

  1. calcite-core(1.10.0 and 1.16.0) fixed in 1.34.0
    /opt/dremio/jars/3rdparty/dremio-hive2-exec-shaded-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/calcite-core-1.16.0-202212291946520071-31c33937.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-39135
CVSS Base Score: 9.8 Critical

  1. protobuf-java(2.5.0, 3.7.1, 3.19.4) fixed in 3.19.6 or 3.21.9 or above
    /opt/dremio/jars/3rdparty/dremio-hive2-exec-shaded-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/hadoop-shaded-protobuf_3_7-1.1.1.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-3510
CVSS Base Score: 7.5 High

  1. json-smart 2.4.8 fixed in 2.4.10 or above
    /opt/dremio/jars/3rdparty/json-smart-2.4.8.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar

https://nvd.nist.gov/vuln/detail/CVE-2023-1370
CVSS Base Score: 7.5 High

  1. hadoop-hdfs-client 2.8.5 fixed in 3.3.5
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar

https://nvd.nist.gov/vuln/detail/CVE-2020-9492
CVSS Base Score: 8.8 High

  1. hadoop-yarn-server-common 2.8.5 fixed in 3.3.5
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar

https://nvd.nist.gov/vuln/detail/CVE-2021-33036
CVSS Base Score: 8.8 High

  1. xalan 2.7.2 fixed in 2.7.3
    /opt/dremio/jars/3rdparty/xalan-2.7.2.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-34169
CVSS Base Score: 7.5 High

  1. libthrift 0.13.0 fixed in 0.18.1
    /opt/dremio/jars/3rdparty/libthrift-0.13.0.jar

https://nvd.nist.gov/vuln/detail/CVE-2020-13949
CVSS Base Score: 7.5 High

  1. woodstox-core fixed 6.4.0 or above
    /opt/dremio/plugins/connectors/dremio-ce-hive3-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/plugins/connectors/dremio-ce-hive2-plugin-24.0.0-202302100528110223-3a169b7c.jar
    /opt/dremio/jars/3rdparty/woodstox-core-5.2.1.jar

https://nvd.nist.gov/vuln/detail/CVE-2022-40152
CVSS Base Score: 7.5 High

  1. openssl 3.0.2-0ubuntu1.7 fixed in 3.0.2-0ubuntu1.8 or above

https://nvd.nist.gov/vuln/detail/CVE-2023-0286
CVSS Base Score: 7.4 High

Thank you.

2

We take security issues seriously here. Security | Dremio has some more information about our approach. In general, we resolve exploitable security issues within our internal security SLAs based on severity while also aiming to update other packages with vulnerabilities (that aren’t exploitable) up to date. We do our best to document package changes in the release notes as well. You can see some of the updates made in 24.0.0 and subsequent releases on the website here.

3

HI @danh ,

Thanks for your response just wanted to check if you have any tentative timeline to fix this vulnerable issue. or can it be fixed for any enterprise?

Thanks,
Saurabh