Vulnerable 3rd party jars found in dremio 24.2.6

Hi Team,
We have found a few vulnerable 3rd party components in docker Image: dremio:24.2.6 Is there any timeline for when we can have the updated jars in the image?

Below is the list of jars that we have found to be vulnerable.

  1. protobuf-java fixed in 3.19.6 or above
CVSS Base Score: 7.5 High

  1. jetty-http, jetty-server, jetty-util, jetty-webapp, jetty-servlets, jetty-io and jetty-client 9.4.51.v20230217 fixed in 9.4.53.v20231009 or above

CVSS Base Score: 7.5 High

  1. pf4j fixed in 3.10.0 or above

CVSS Base Score: 7.5 High

  1. guava fixed in 32.1.1-jre

CVSS Base Score: 7.1 High

  1. elasticsearch 6.8.23 fixed in 8.11.1

CVSS Base Score: 7.5 High

  1. okio 3.2.0 fixed in 3.4.0 or above

CVSS Base Score: 7.5 High

  1. libthrift 0.13.0 fixed in 0.14.0 or above

CVSS Base Score: 7.5 High


We take security issues very seriously at Dremio. If there is an exploitable security issue, we resolve them within our internal security SLAs based on severity/priority. In case of non exploitable security issues for the third party libraries, we always try to update it to the latest possible version at a regular cadence. Please always update to the latest Dremio version if possible.

For more information about security at Dremio: Platform Security - Protecting Your Data | Dremio

For more information about recent security vulnerabilities: Security Bulletins | Dremio Documentation