Hi Team,
We have found a few vulnerable 3rd party components in docker Image: dremio:24.2.6 Is there any timeline for when we can have the updated jars in the image?
Below is the list of jars that we have found to be vulnerable.
- protobuf-java fixed in 3.19.6 or above
/opt/dremio/jars/3rdparty/hadoop-shaded-protobuf_3_7-1.1.1.jar(3.7.1)
nvd.nist.gov/vuln/detail/CVE-2022-3510
CVSS Base Score: 7.5 High
- jetty-http, jetty-server, jetty-util, jetty-webapp, jetty-servlets, jetty-io and jetty-client 9.4.51.v20230217 fixed in 9.4.53.v20231009 or above
/opt/dremio/jars/3rdparty/jetty-*-9.4.51.v20230217.jar
CVE-2023-36478
CVSS Base Score: 7.5 High
- pf4j fixed in 3.10.0 or above
/opt/dremio/jars/3rdparty/pf4j-3.6.0.jar
CVE-2023-40828
CVSS Base Score: 7.5 High
- guava fixed in 32.1.1-jre
/opt/dremio/jars/3rdparty/dremio-twill-shaded-24.2.6-202311250456170399-68acbe47.jar(13.0.1)
/opt/dremio/jars/3rdparty/iceberg-bundled-guava-1.3.0-7dbdfd3-20230614154222-545fbe0.jar(31.1-jre)
/opt/dremio/jars/3rdparty/gcs-connector-hadoop3-2.2.2-dremio-202306291124120084-8ab9811-shaded.jar(30.1-jre)
/opt/dremio/jars/3rdparty/hadoop-shaded-guava-1.1.1.jar(30.1.1-jre)
CVE-2023-2976
CVSS Base Score: 7.1 High
- elasticsearch 6.8.23 fixed in 8.11.1
/opt/dremio/jars/3rdparty/elasticsearch-6.8.23.jar
CVE-2023-31418
CVSS Base Score: 7.5 High
- okio 3.2.0 fixed in 3.4.0 or above
/opt/dremio/jars/3rdparty/okio-3.2.0.jar
CVE-2023-3635
CVSS Base Score: 7.5 High
- libthrift 0.13.0 fixed in 0.14.0 or above
/opt/dremio/jars/3rdparty/libthrift-0.13.0.jar
CVE-2020-13949
CVSS Base Score: 7.5 High
regards
abkul