Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
2.7.3
-
None
Description
1. Remove dependency on com.thoughtworks.xstream:xstream:jar:1.4.10 in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2013-7285
± % mvn dependency:tree -Dincludes=com.thoughtworks.xstream:xstream [INFO] Scanning for projects... [INFO] [INFO] ---------------< org.apache.ambari:ambari-infra-manager >--------------- [INFO] Building Ambari Infra Manager 2.7.3.0.0 [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-infra-manager --- [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0 [INFO] \- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
2. Remove dependency on org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.31 in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2018-8014
± % mvn dependency:tree -Dincludes=org.apache.tomcat [INFO] Scanning for projects... [INFO] [INFO] ---------------< org.apache.ambari:ambari-infra-manager >--------------- [INFO] Building Ambari Infra Manager 2.7.3.0.0 [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-infra-manager --- [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0 [INFO] \- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.13.RELEASE:provided [INFO] \- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.31:provided [INFO] \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.31:provided
3. Remove dependency on org.apache.logging.log4j:log4j-core:jar:2.7 in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2017-5645
± % mvn dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core [INFO] Scanning for projects... [INFO] [INFO] ---------------< org.apache.ambari:ambari-infra-manager >--------------- [INFO] Building Ambari Infra Manager 2.7.3.0.0 [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-infra-manager --- [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0 [INFO] \- org.springframework.boot:spring-boot-starter-log4j2:jar:1.5.13.RELEASE:compile [INFO] \- org.apache.logging.log4j:log4j-core:jar:2.7:compile
4. Remove dependency on org.eclipse.jetty:jetty.* 9.4.10.v20180503 in Ambari Server due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2017-7657
https://nvd.nist.gov/vuln/detail/CVE-2017-7658
https://nvd.nist.gov/vuln/detail/CVE-2019-10247
https://nvd.nist.gov/vuln/detail/CVE-2018-12536
https://nvd.nist.gov/vuln/detail/CVE-2018-12545
https://nvd.nist.gov/vuln/detail/CVE-2019-10241
± % mvn dependency:tree -Dincludes=org.eclipse.jetty [INFO] Scanning for projects... [INFO] [INFO] ---------------< org.apache.ambari:ambari-infra-manager >--------------- [INFO] Building Ambari Infra Manager 2.7.3.0.0 [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-infra-manager --- [INFO] org.apache.ambari:ambari-infra-manager:jar:2.7.3.0.0 [INFO] \- org.springframework.boot:spring-boot-starter-jetty:jar:1.5.13.RELEASE:compile [INFO] +- org.eclipse.jetty:jetty-servlets:jar:9.4.10.v20180503:compile [INFO] | +- org.eclipse.jetty:jetty-continuation:jar:9.4.10.v20180503:compile [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.10.v20180503:compile [INFO] | +- org.eclipse.jetty:jetty-util:jar:9.4.10.v20180503:compile [INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.10.v20180503:compile [INFO] +- org.eclipse.jetty:jetty-webapp:jar:9.4.10.v20180503:compile [INFO] | +- org.eclipse.jetty:jetty-xml:jar:9.4.10.v20180503:compile [INFO] | \- org.eclipse.jetty:jetty-servlet:jar:9.4.10.v20180503:compile [INFO] | \- org.eclipse.jetty:jetty-security:jar:9.4.10.v20180503:compile [INFO] | \- org.eclipse.jetty:jetty-server:jar:9.4.10.v20180503:compile [INFO] +- org.eclipse.jetty.websocket:websocket-server:jar:9.4.10.v20180503:compile [INFO] | \- org.eclipse.jetty.websocket:websocket-client:jar:9.4.10.v20180503:compile [INFO] | \- org.eclipse.jetty:jetty-client:jar:9.4.10.v20180503:compile [INFO] \- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.10.v20180503:compile [INFO] \- org.eclipse.jetty:jetty-annotations:jar:9.4.10.v20180503:compile [INFO] \- org.eclipse.jetty:jetty-plus:jar:9.4.10.v20180503:compile
5. Remove dependency on markedjs 0.3.2 or upgrade swagger-ui with a newer markedjs version in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2017-16114
https://nvd.nist.gov/vuln/detail/CVE-2016-10531
https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
https://nvd.nist.gov/vuln/detail/CVE-2015-8854
https://nvd.nist.gov/vuln/detail/CVE-2015-1370
~/ambari/ambari-infra/ambari-infra-manager [branch-2.7 *] ± % ag marked.js target/classes/swagger/swagger.html 42: <script src='swagger-ui/2.2.2/lib/marked.js' type='text/javascript'></script> src/main/resources/swagger/swagger.html 42: <script src='swagger-ui/2.2.2/lib/marked.js' type='text/javascript'></script>
6. Remove dependency on org.springframework.security:spring-security-web 4.3.12.RELEASE in Ambari Infra Manager due to security concerns. See
https://nvd.nist.gov/vuln/detail/CVE-2018-15756
± % mvn dependency:tree [INFO] Scanning for projects... [INFO] [INFO] ---------------< org.apache.ambari:ambari-infra-manager >--------------- [INFO] Building Ambari Infra Manager 2.7.3.0.0 [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-infra-manager --- ... [INFO] | \- org.springframework:spring-web:jar:4.3.12.RELEASE:compile