From 6ce1b089f782d02dad4d920eaa61b0f030e1c7e9 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Thu, 14 Nov 2024 21:36:25 +0100 Subject: [PATCH 1/8] fix(druid): CVE-2023-34455 --- .../02-prometheus-emitter-from-source.patch | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch index 8f0ca6795..1056407e2 100644 --- a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch +++ b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch @@ -2,15 +2,13 @@ Include Prometheus emitter in distribution From: Lars Francke - ---- - 0 files changed +Update 2024-11-14: fix CVE-2023-34455 diff --git a/distribution/pom.xml b/distribution/pom.xml -index d7cd645767..eda1ddcfab 100644 +index e27329e96d..ea79123ab3 100644 --- a/distribution/pom.xml +++ b/distribution/pom.xml -@@ -464,6 +464,52 @@ +@@ -464,6 +464,66 @@ @@ -55,6 +53,20 @@ index d7cd645767..eda1ddcfab 100644 + + + ++ ++ fix-cve-2023-34455-remove-snappy ++ package ++ ++ exec ++ ++ ++ rm ++ ++ ${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar ++ ${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar ++ ++ ++ + + + From 436d818b13e8d3af4f99ebeac4eff8ec5245ddde Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 15 Nov 2024 10:33:41 +0100 Subject: [PATCH 2/8] add doc to patch file --- .../30.0.0/02-prometheus-emitter-from-source.patch | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch index 1056407e2..b75b0a4ed 100644 --- a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch +++ b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch @@ -4,6 +4,14 @@ From: Lars Francke Update 2024-11-14: fix CVE-2023-34455 +See: https://github.com/stackabletech/vulnerabilities/issues/558 + +The Prometheus installation brings in a set of redundand dependendencies including the vulnerable +snappy-java library. Updated versions of this libary are already present in the classpath. +Therefore, we explicitely remove the affected jars as it it is recommended by the Druid authors here: + +https://github.com/apache/druid/blob/09d36ee324747f1407705c27618b6d415c3fa8a9/services/src/main/java/org/apache/druid/cli/PullDependencies.java#L90 + diff --git a/distribution/pom.xml b/distribution/pom.xml index e27329e96d..ea79123ab3 100644 --- a/distribution/pom.xml From 392a47cef7e1f46119d0bfee6799204d7a42a4f1 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 15 Nov 2024 10:52:03 +0100 Subject: [PATCH 3/8] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a474c0f58..5f95d63c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -70,6 +70,7 @@ All notable changes to this project will be documented in this file. - nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]). - hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]). - druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]). +- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797 @@ -119,6 +120,7 @@ All notable changes to this project will be documented in this file. [#924]: https://github.com/stackabletech/docker-images/pull/924 [#925]: https://github.com/stackabletech/docker-images/pull/925 [#926]: https://github.com/stackabletech/docker-images/pull/926 +[#935]: https://github.com/stackabletech/docker-images/pull/935 ## [24.7.0] - 2024-07-24 From 1fae9a44313803b9a48eeb77dadaa9e8d666c9f7 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 28 Jan 2025 10:15:00 +0100 Subject: [PATCH 4/8] fix markdown lint --- CHANGELOG.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5235451cd..99e5d94ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,13 +29,10 @@ All notable changes to this project will be documented in this file. ### Fixed +- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]). - hadoop: Fix the JMX exporter configuration for metrics suffixed with `_total`, `_info` and `_created` ([#962]). -### Fixed - -- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]). - [#884]: https://github.com/stackabletech/docker-images/pull/884 [#928]: https://github.com/stackabletech/docker-images/pull/928 [#943]: https://github.com/stackabletech/docker-images/pull/943 From f0d296cce0de50219deb22303f6cd44addb157af Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 28 Jan 2025 12:00:23 +0100 Subject: [PATCH 5/8] revert prometheus patch from main --- .../02-prometheus-emitter-from-source.patch | 28 +++---------------- 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch index b75b0a4ed..8f0ca6795 100644 --- a/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch +++ b/druid/stackable/patches/30.0.0/02-prometheus-emitter-from-source.patch @@ -2,21 +2,15 @@ Include Prometheus emitter in distribution From: Lars Francke -Update 2024-11-14: fix CVE-2023-34455 -See: https://github.com/stackabletech/vulnerabilities/issues/558 - -The Prometheus installation brings in a set of redundand dependendencies including the vulnerable -snappy-java library. Updated versions of this libary are already present in the classpath. -Therefore, we explicitely remove the affected jars as it it is recommended by the Druid authors here: - -https://github.com/apache/druid/blob/09d36ee324747f1407705c27618b6d415c3fa8a9/services/src/main/java/org/apache/druid/cli/PullDependencies.java#L90 +--- + 0 files changed diff --git a/distribution/pom.xml b/distribution/pom.xml -index e27329e96d..ea79123ab3 100644 +index d7cd645767..eda1ddcfab 100644 --- a/distribution/pom.xml +++ b/distribution/pom.xml -@@ -464,6 +464,66 @@ +@@ -464,6 +464,52 @@ @@ -61,20 +55,6 @@ index e27329e96d..ea79123ab3 100644 + + + -+ -+ fix-cve-2023-34455-remove-snappy -+ package -+ -+ exec -+ -+ -+ rm -+ -+ ${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar -+ ${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar -+ -+ -+ + + + From cf78ac9ed577894394aa09286b5d0dc30746eb56 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 28 Jan 2025 12:01:35 +0100 Subject: [PATCH 6/8] added new patch file --- .../30.0.0/10-cve-2023-34455-rm-snappy.patch | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch diff --git a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch new file mode 100644 index 000000000..4942a8c3e --- /dev/null +++ b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch @@ -0,0 +1,37 @@ +Fix CVE-2023-34455 +see https://github.com/stackabletech/vulnerabilities/issues/558 + +At the end of build process, Druid downloads dependencies directly from a remote +Maven repository ignoring existing patches that have been applyed locally. +These dependencies include all transitive dependencies too. +The hadoop client depends on a vulnerable version of the snappy library which +is then also downloaded even though a newer version is already on the system. + +This patch removes the vulnerable jars. + +diff --git a/distribution/pom.xml b/distribution/pom.xml +index d5918710ef..bba99d078c 100644 +--- a/distribution/pom.xml ++++ b/distribution/pom.xml +@@ -594,6 +594,21 @@ + + + ++ +++ +++ fix-cve-2023-34455-remove-snappy +++ package +++ +++ exec +++ +++ +++ rm +++ +++ ${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar +++ ${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar +++ +++ +++ + + + From 53b6e9d1615f5ba411143c3381b2f37dfc8251b1 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 28 Jan 2025 12:13:26 +0100 Subject: [PATCH 7/8] fix copy&paste --- .../30.0.0/10-cve-2023-34455-rm-snappy.patch | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch index 4942a8c3e..f58ab41c4 100644 --- a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch +++ b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch @@ -10,28 +10,27 @@ is then also downloaded even though a newer version is already on the system. This patch removes the vulnerable jars. diff --git a/distribution/pom.xml b/distribution/pom.xml -index d5918710ef..bba99d078c 100644 +index d5918710ef..cc2d88441c 100644 --- a/distribution/pom.xml +++ b/distribution/pom.xml -@@ -594,6 +594,21 @@ +@@ -594,6 +594,20 @@ ++ ++ fix-cve-2023-34455-remove-snappy ++ package ++ ++ exec ++ ++ ++ rm ++ ++ ${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar ++ ${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar ++ ++ + -++ -++ fix-cve-2023-34455-remove-snappy -++ package -++ -++ exec -++ -++ -++ rm -++ -++ ${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar -++ ${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar -++ -++ -++ From 18e2c1a51874a53d669da376c8c9177281d1156f Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:00:25 +0100 Subject: [PATCH 8/8] put the execution in the "dist" profile --- .../patches/30.0.0/10-cve-2023-34455-rm-snappy.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch index f58ab41c4..e4e440d0d 100644 --- a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch +++ b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch @@ -10,10 +10,10 @@ is then also downloaded even though a newer version is already on the system. This patch removes the vulnerable jars. diff --git a/distribution/pom.xml b/distribution/pom.xml -index d5918710ef..cc2d88441c 100644 +index d5918710ef..2d5bfc6ab4 100644 --- a/distribution/pom.xml +++ b/distribution/pom.xml -@@ -594,6 +594,20 @@ +@@ -259,6 +259,20 @@ @@ -24,7 +24,7 @@ index d5918710ef..cc2d88441c 100644 + exec + + -+ rm ++ /usr/bin/rm + + ${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar + ${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar