Fixing security vulnerability check errors

[abhagraw]

Fixing security vulnerability check errors.

[AmatyaAvadhanula]

@abhagraw could you please add more details regarding the CVEs and why they do not affect Druid?

[abhagraw]

@abhagraw could you please add more details regarding the CVEs and why they do not affect Druid?

I have added a comment for CVE-2022-45688.
And for CVE-2020-11612 - we need to update to netty4 (for which a comment was already there.)

Is there any specific information you are looking for?

[abhagraw]

Closed by mistake. Reopening.

[abhagraw]

Suppressing following CVEs -

CVE-2022-45688 - This does not affect us as we do not use XML
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVE-2020-11612 - To suppress this need to update to netty 4 (A lot of other dependencies waiting on this)
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

CVE-2021-28170 - Updated to jakarta.el 3.0.4
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CVE-2023-1370 - Druid only parses json with expected formats.
Json-smart is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{’ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

[AmatyaAvadhanula]

Thank you for adding the details!