Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1

[one70six]

Issue

Black Duck, a product by Synopsys that scans for open source security threats, uncovered a few issues with dependencies for the Pulsar 2.3.1 binaries. Just posting the results here to make the community aware for future releases, I know this stuff is like a moving target.

Apache Commons Compress - 1.15

• CVE-2018-11771
• CVE-2018-1324

Apache Maven 2 - 3.0.4

• CVE-2013-0253
• CVE-2016-4469
• CVE-2016-5005
• CVE-2017-5657

AsyncHttpClient - 1.6.5

• CVE-2013-7397
• CVE-2013-7398

Guava: Google Core Libraries for Java - 21.0

• CVE-2018-10237

Guava: Google Core Libraries for Java - 24.1-jre

• CVE-2018-10237

jackson-databind - 2.8.11.3

• CVE-2018-1000873
• CVE-2018-14719
• CVE-2018-14720
• CVE-2018-14721
• CVE-2018-19360
• CVE-2018-19361
• CVE-2018-19362

Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server - 9.4.11.v20180605

• CVE-2017-9735
• CVE-2018-12545

jQuery - 2.2.3

• CVE-2011-4969

jQuery UI - 1.11.4

• CVE-2016-7103

Netty Project - 3.10.1.Final

• CVE-2015-2156

Netty Project - 3.6.2.Final

• CVE-2015-2156
• CVE-2014-0193

It looks like upgrading to the latest versions of each of these dependencies might patch things, but I am not certain.

Thanks!

[demo-client]

Hello,

I wanted to confirm if the correct binaries (without the known vulnerabilities) are already present in the current builds of Pulsar.

If not, what is the timeline of getting these incorporated?

[demo-client]

Hi all (@one70six , @merlimat , @sijie ),

Would you know if this issue is resolved in 2.4.0 (and any update over that)? The InfoSec teams at various companies look at this kind of defects and suggest that we get this fixed before choosing to use Apache Pulsar in production.

So, all updates would help.

Best regards
Anand Sinha