CVEs / Vulnerabilities coming up in scans

[itay]

We've done a scan of 350 (looking for the last non-Trino version for now) using Snyk and also received a scan from another tool, and wanted to share the findings. There are more that exist but I've limited this to the plugins we specifically care about. I've broken it up into what is happening in presto-main and presto-hive, and for each tried to include both the CVE (or a link to VulnDB) as well as the mvn dependency:tree output (though some of these dependencies exist in multiple places, I just picked the first one).

Some of these look like relatively straightforward upgrades, but since many of them are in downstream dependencies, I wasn't sure what the Trino policy on updating them are. It's quite challenging to have these come up given the focus that many organizations are putting on not accepting any CVEs marked as High/Critical, which the below all are.

presto-main:

netty (CVE-2019-20445, CVE-2019-20444, CVE-2019-16869, CVE-2015-2156):
[INFO] +- io.airlift.resolver:resolver:jar:1.6:compile
[INFO] |  +- org.sonatype.aether:aether-spi:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-impl:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-util:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-connector-file:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-connector-asynchttpclient:jar:1.13.1:compile
[INFO] |  |  \- com.ning:async-http-client:jar:1.6.5:compile
[INFO] |  +- io.netty:netty:jar:3.6.2.Final:runtime

slf4j (CVE-2018-8088):
[INFO] +- io.airlift.resolver:resolver:jar:1.6:compile
...
[INFO] |  +- org.codehaus.plexus:plexus-classworlds:jar:2.4:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile

async-http-client (CVE-2017-14063):
[INFO] +- io.airlift.resolver:resolver:jar:1.6:compile
[INFO] |  +- org.sonatype.aether:aether-spi:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-impl:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-util:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-connector-file:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-connector-asynchttpclient:jar:1.13.1:compile
[INFO] |  |  \- com.ning:async-http-client:jar:1.6.5:compile

plexus-utils (CVE-2017-1000487)
[INFO] +- io.airlift.resolver:resolver:jar:1.6:compile
[INFO] |  +- org.sonatype.aether:aether-spi:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-impl:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-util:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-connector-file:jar:1.13.1:compile
[INFO] |  +- org.sonatype.aether:aether-connector-asynchttpclient:jar:1.13.1:compile
[INFO] |  |  \- com.ning:async-http-client:jar:1.6.5:compile
[INFO] |  +- io.netty:netty:jar:3.6.2.Final:runtime
[INFO] |  +- org.apache.maven:maven-core:jar:3.0.4:compile
[INFO] |  |  +- org.apache.maven:maven-settings:jar:3.0.4:compile
[INFO] |  |  +- org.apache.maven:maven-settings-builder:jar:3.0.4:compile
[INFO] |  |  +- org.apache.maven:maven-repository-metadata:jar:3.0.4:compile
[INFO] |  |  +- org.apache.maven:maven-plugin-api:jar:3.0.4:compile
[INFO] |  |  +- org.apache.maven:maven-model-builder:jar:3.0.4:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.14:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-utils:jar:2.0.6:compile
[INFO] |  |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[INFO] |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile

jersey-media-jaxb (https://app.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYMEDIA-595972)
[INFO] +- io.airlift:jaxrs:jar:202:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.3.1:runtime
[INFO] |  |  \- javax.activation:javax.activation-api:jar:1.2.0:runtime
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.26:compile
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-server:jar:2.26:compile
[INFO] |  |  \- org.glassfish.jersey.media:jersey-media-jaxb:jar:2.26:compile

presto-hive:

groovy-all (CVE-2016-6814):
[INFO] +- com.linkedin.coral:coral-hive:jar:1.0.12:compile
[INFO] |  +- org.codehaus.groovy:groovy-all:jar:2.4.4:compile

jackson-dataformat-cbor (CVE-2020-28491):
[INFO] +- com.amazonaws:aws-java-sdk-core:jar:1.11.921:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.11:compile
[INFO] |  +- software.amazon.ion:ion-java:jar:1.0.2:compile
[INFO] |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.11.1:compile

libthrift (CVE-2019-0205, CVE-2018-1320):
[INFO] +- org.apache.thrift:libthrift:jar:0.9.3-1:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile

google-oauth-client (CVE-2020-7692):
[INFO] +- com.google.cloud.bigdataoss:gcs-connector:jar:hadoop2-2.0.0:compile
[INFO] |  +- com.google.api-client:google-api-client-java6:jar:1.30.1:compile
[INFO] |  |  \- com.google.api-client:google-api-client:jar:1.30.1:compile
[INFO] |  +- com.google.api-client:google-api-client-jackson2:jar:1.30.1:compile
[INFO] |  |  \- com.google.http-client:google-http-client-jackson2:jar:1.30.1:compile
[INFO] |  +- com.google.apis:google-api-services-storage:jar:v1-rev20190624-1.30.1:compile
[INFO] |  +- com.google.oauth-client:google-oauth-client:jar:1.30.1:compile
[INFO] |  |  \- com.google.http-client:google-http-client:jar:1.30.1:compile
[INFO] |  |     +- io.opencensus:opencensus-api:jar:0.21.0:compile
[INFO] |  |     |  \- io.grpc:grpc-context:jar:1.19.0:compile
[INFO] |  |     \- io.opencensus:opencensus-contrib-http-util:jar:0.21.0:compile
[INFO] |  +- com.google.oauth-client:google-oauth-client-java6:jar:1.30.1:compile

[electrum]

Thanks for filing this in a well organized way.

Trino has many dependencies, many of which are difficult or impractical to upgrade, for various reasons. For example, we depend on an old version of the Elasticsearch client, since newer versions of the client are not compatible with older versions of the server that people still use.

While it feels like a general good practice to stay up to date with libraries, upgrades have a cost in terms of developer time and risk to users. As such, it would be rare for a library to be upgraded without a specific benefit.

From a security perspective, we take a practical approach to security. Is the vulnerability in question applicable to Trino? In almost all cases, the vulnerability in a library is for a feature that we don't use, or requires using a library in a specific way. If the vulnerability did affect us, then it would be a high priority to resolve.

[itay]

@electrum thank you for the reply. I definitely and understand (and on a personal level, 110% agree) that it is important to look at these vulnerabilities in detail and understand whether they truly represent an attack surface area or not.

Unfortunately, that's not how the overall enterprise security space has coalesced around this, and in our case, we have downstream consumers of ours which refuse to accept binaries (or will only accept them for a limited time) that have known CVEs against them, even if they are not directly relevant.

Don't get me wrong - I understand the cost in terms of developer time and the risk upgrades pose in general - our software exists in a similar situation on the Java side, and it is a big effort to respond to these CVEs.

Let me follow up with some more specific questions:

1. Would Trino be willing to accept contributions that fix some of these?
2. There are three specific vulnerable libraries that we would especially like to see fixed: netty, async-http-client, slf4j. Most of the issues tend to stem from the airlift/resolver project (which I'm not familiar with at all). Is there any possibility of getting these specific ones resolved?

[electrum]

slf4j (CVE-2018-8088): slf4j-api

The vulnerability is in slf4j-ext, so the check is bogus as the vulnerable artifact isn't included.

netty (CVE-2019-20445, CVE-2019-20444, CVE-2019-16869, CVE-2015-2156)
async-http-client (CVE-2017-14063)
plexus-utils (CVE-2017-1000487)

These are for development mode where plugins can be resolved as POMs. It uses the Maven libraries to resolve dependencies. The server must be configured to point at local POMs, which contain or reference arbitrary code. The Netty vulnerabilities seem to require a malicious server or intermediary. However, the server is providing Maven artifacts containing code to be run by the server, it has to be trusted anyway.

I'd like to upgrade to a newer version of the embedded Maven libraries, but when I looked last it appeared non trivial, and it has not been a priority, since it's for a rarely used development mode and the existing version works.

jersey-media-jaxb (https://app.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYMEDIA-595972)

It's not clear if this applies to Trino. It seems that this is a memory consumption issue for resources that accept XML documents. To my knowledge, none of our JAX-RS endpoints accept XML, since we use JSON for everything. It is possible the parsing happens before the check for the accepted content type, but this would require more investigation.

Unfortunately, while it would be nice to upgrade to later Jersey versions, the fix version is after the switch from the javax to the jakarta namespace. This will likely be a big change across several projects, since it impacts all the API dependencies.

groovy-all (CVE-2016-6814): via coral

I'm not sure why this is pulled in at all. I hope that Coral is not actually using Gradle. We could try excluding it. There is a related issue #5604

libthrift (CVE-2019-0205, CVE-2018-1320): libthrift:jar:0.9.3-1

The check for CVE-2018-1320 is bogus, since we are using the oddly named 0.9.3-1 which has the vulnerability fixed. See https://issues.apache.org/jira/browse/THRIFT-4506

For CVE-2019-0205, the issue is unfortunately not fixed in the 0.9.x branch. Upgrading to newer versions is possible, since libthrift is tied to the generated client code inside the Hive dependency. We would need the Hive project to update in the 3.1.x branch and release a new version. The vulnerability is that a malicious Hive metastore could cause a Trino thread to run into an endless loop, which makes this mostly irrelevant from a practical standpoint, since if you can't trust the Hive metastore, you have bigger problems. The best path to fix this is comment on https://issues.apache.org/jira/browse/THRIFT-5075 and let them know why it's important to release the fix for this older branch.

jackson-dataformat-cbor (CVE-2020-28491)

Fixed in #6660 by upgrading to Jackson 2.11.4

google-oauth-client (CVE-2020-7692): via gcs-connector

It looks like this would be solved by updating gcs-connector to the latest hadoop2-2.2.0. This hopefully be an easy change, but unfortunately, we don't currently have any integration tests for GCS, so I would want someone who uses GCS to test this. Maybe that's you, or perhaps @elonazoulay could help.

[itay]

For these three:

netty (CVE-2019-20445, CVE-2019-20444, CVE-2019-16869, CVE-2015-2156)
async-http-client (CVE-2017-14063)
plexus-utils (CVE-2017-1000487)

Is it possible to build a version of Trino that excludes them (i.e. if we were to do a custom build)? Or even delete them from the packaged tgz (again, we would do this ourselves)? If there's a way to just build without the airlift-resolver functionality, that seems like it would resolve a host of issues. I'm not familiar enough with this part of Trino to say.

Regarding some of the other notes - we've tried explaining the case that the vulnerability doesn't exist (e.g. we were once asked to fix a CVE that only existed on ARM, even though we only support x86/x64), but the reality is that for these consumers, this is simply binary - it either passes or doesn't, and if it doesn't, it needs to be fixed.

[electrum]

We are happy to accept contributions.

The slf4j one is bogus, as I mentioned. The CVE seems to have the correct information, so it seems to be an issue with the particular scanner.

You could certainly modify the code the to remove the resolver. It would be an easy patch to maintain.

[electrum]

This removes the old Maven dependencies from the server: #6834

[itay]

@electrum thank you, that is very helpful!

[bitsondatadev]

@itay is it safe to close this?

[itay]

@bitsondatadev yep, I don't think this is going to move forward in any other way. I'll close it. Appreciate the original engagement!