Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Vulnerability in elasticsearch 7.17.13 CVE [HZ-3988] [5.3.z] #26131

Closed

Conversation

orcunc
Copy link
Contributor

@orcunc orcunc commented Dec 4, 2023

Upgrade elastic client to 7.17.15.
Use Log4j BOM because of Dependency convergence error coming from new elastic client

Fixes : #26117

See : https://discuss.elastic.co/t/elasticsearch-7-17-14-8-10-3-security-update-esa-2023-24/347708
In the

Solutions and Mitigations:
The issue is resolved in versions 8.10.3 and 7.17.14.

HZ 5.4 is using 7.17.15. So I have upgraded 5.3.x to 7.17.15

Checklist:

  • Labels (Team:, Type:, Source:, Module:) and Milestone set
  • Add Add to Release Notes label if changes should be mentioned in release notes or Not Release Notes content if changes are not relevant for release notes
  • Request reviewers if possible

@orcunc orcunc added this to the 5.3.z milestone Dec 4, 2023
@orcunc orcunc self-assigned this Dec 4, 2023
@orcunc orcunc marked this pull request as ready for review December 4, 2023 08:21
@orcunc orcunc changed the title Fix Vulnerability in elasticsearch 7.17.13 CVE [HZ-3988] Fix Vulnerability in elasticsearch 7.17.13 CVE [HZ-3988] [5.3.z] Dec 4, 2023
@hz-devops-test
Copy link

The job Hazelcast-pr-builder of your PR failed. (Hazelcast internal details: build log, artifacts).
Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log file
---------ERRORS-----------
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 
--------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.2.1:enforce (enforce-tools) on project hazelcast-distribution: 
--------------------------
[ERROR] Rule 2: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
--------------------------
[ERROR] Failed while enforcing releasability. See above detailed error message.
--------------------------
[ERROR] -> [Help 1]
--------------------------
[ERROR] 
--------------------------
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
--------------------------
[ERROR] 
--------------------------
[ERROR] For more information about the errors and possible solutions, please read the following articles:
--------------------------
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
--------------------------
[ERROR] 
--------------------------
[ERROR] After correcting the problems, you can resume the build with the command
--------------------------
[ERROR]   mvn  -rf :hazelcast-distribution
--------------------------

@hz-devops-test
Copy link

The job Hazelcast-pr-EE-compiler of your PR failed. (Hazelcast internal details: build log, artifacts).
Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log file
---------ERRORS-----------
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 
--------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.2.1:enforce (enforce-tools) on project hazelcast-distribution: 
--------------------------
[ERROR] Rule 2: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
--------------------------
[ERROR] Failed while enforcing releasability. See above detailed error message.
--------------------------
[ERROR] -> [Help 1]
--------------------------
[ERROR] 
--------------------------
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
--------------------------
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
--------------------------
[ERROR] 
--------------------------
[ERROR] For more information about the errors and possible solutions, please read the following articles:
--------------------------
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
--------------------------
[ERROR] 
--------------------------
[ERROR] After correcting the problems, you can resume the build with the command
--------------------------
[ERROR]   mvn  -rf :hazelcast-distribution
--------------------------

@hz-devops-test
Copy link

The job Hazelcast-pr-compiler of your PR failed. (Hazelcast internal details: build log, artifacts).
Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log file
---------ERRORS-----------
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 
--------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.2.1:enforce (enforce-tools) on project hazelcast-distribution: 
--------------------------
[ERROR] Rule 2: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
--------------------------
[ERROR] Failed while enforcing releasability. See above detailed error message.
--------------------------
[ERROR] -> [Help 1]
--------------------------
[ERROR] 
--------------------------
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
--------------------------
[ERROR] 
--------------------------
[ERROR] For more information about the errors and possible solutions, please read the following articles:
--------------------------
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
--------------------------
[ERROR] 
--------------------------
[ERROR] After correcting the problems, you can resume the build with the command
--------------------------
[ERROR]   mvn  -rf :hazelcast-distribution
--------------------------

@orcunc
Copy link
Contributor Author

orcunc commented Dec 4, 2023

run-lab-run

@hz-devops-test
Copy link

The job Hazelcast-pr-builder of your PR failed. (Hazelcast internal details: build log, artifacts).
Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log file
---------ERRORS-----------
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 
--------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.2.1:enforce (enforce-tools) on project hazelcast-distribution: 
--------------------------
[ERROR] Rule 2: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
--------------------------
[ERROR] Failed while enforcing releasability. See above detailed error message.
--------------------------
[ERROR] -> [Help 1]
--------------------------
[ERROR] 
--------------------------
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
--------------------------
[ERROR] 
--------------------------
[ERROR] For more information about the errors and possible solutions, please read the following articles:
--------------------------
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
--------------------------
[ERROR] 
--------------------------
[ERROR] After correcting the problems, you can resume the build with the command
--------------------------
[ERROR]   mvn  -rf :hazelcast-distribution
--------------------------

@hz-devops-test
Copy link

The job Hazelcast-pr-builder of your PR failed. (Hazelcast internal details: build log, artifacts).
Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log file
---------ERRORS-----------
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] Surefire is going to kill self fork JVM. The exit has elapsed 30 seconds after System.exit(0).
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] Tests run: 28, Failures: 1, Errors: 0, Skipped: 1, Time elapsed: 117.598 s <<< FAILURE! - in com.hazelcast.jet.kafka.impl.StreamKafkaPTest
--------------------------
[ERROR] com.hazelcast.jet.kafka.impl.StreamKafkaPTest.when_processingGuaranteeNoneWithConsumerGroup_then_continueFromLastReadMessageAfterJobRestart  Time elapsed: 14.623 s  <<< FAILURE!
--------------------------
[ERROR] Failures: 
--------------------------
[ERROR]   StreamKafkaPTest.when_processingGuaranteeNoneWithConsumerGroup_then_continueFromLastReadMessageAfterJobRestart:265->testWithJobRestart:347->HazelcastTestSupport.assertTrueEventually:1304->HazelcastTestSupport.assertTrueEventually:1285->lambda$testWithJobRestart$4:347 expected:<200> but was:<198>
--------------------------
[ERROR] Tests run: 51, Failures: 1, Errors: 0, Skipped: 1
--------------------------
[ERROR] There are test failures.
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
[ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern. @ line 17, column 16
--------------------------
[ERROR] 'dependencies.dependency.version' for $com.google.protobuf:protobuf-java:jar is missing. @ line 16, column 17
--------------------------
--------------------------
-------TEST FAILURE-------
--------------------------
[INFO] Results:
[INFO] 
[ERROR] Failures: 
[ERROR]   StreamKafkaPTest.when_processingGuaranteeNoneWithConsumerGroup_then_continueFromLastReadMessageAfterJobRestart:265->testWithJobRestart:347->HazelcastTestSupport.assertTrueEventually:1304->HazelcastTestSupport.assertTrueEventually:1285->lambda$testWithJobRestart$4:347 expected:<200> but was:<198>
[INFO] 
[ERROR] Tests run: 51, Failures: 1, Errors: 0, Skipped: 1
[INFO] 

[ERROR] There are test failures.

@orcunc
Copy link
Contributor Author

orcunc commented Dec 4, 2023

run-lab-run

@orcunc orcunc closed this Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants