Addressing Security issues in JanusGraph dependent libraries

[andrzej...@gmail.com]

Hello,

I would like to ask what are the plans for upgrading number of libraries JG is using ? We have taken latest 0.4.1 version but it looks like there is still large number of CVE issues in those dependent libraries.

Is there a process defined that would address those security problems or everyone is updating them manually before it gets into official repo ?

Thanks

Andrzej

[Jason Plurad]

There was an issue previously reported https://github.com/JanusGraph/janusgraph/issues/1767 I've drilled down on the CVEs. None of the CVEs are listed as critical severity. Some of them are false positives, and others have already been addressed on the JanusGraph master branch. Depending on your specific deployment of JanusGraph (storage backend, index backend, OLAP), some of the CVEs will not apply to your application.

JanusGraph is an open source and open community project. Open up an issue on the project tracker if there are other CVE issues that were not previously reported (check for the label "kind/security"). It's probably more helpful to identify a separate issue per dependency for granular tracking rather than a batch report. Pull requests are welcome.

[Jason Plurad]

I'll also note that Dependabot is activated on the repository, so you can see that it has been active tracking down potential dependency updates

https://github.com/JanusGraph/janusgraph/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies

[Andrzej Wrobel]

Thanks Jason,

The high severity problems seem to be in following libraries:

hadoop

jackson

log4j

nettty

spark

URL's to CVE reported problems:

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-17190

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-9518

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-16869

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202

https://github.com/apache/hadoop/commit/5d1889a66d91608d34ca9411fb6e9161e637e9d3 (
Apache Hadoop versions 2.7.2 to 2.7.7 are vulnerable to Cross-Site Request Forgery that targets HTTP requests to ?NameNode? and ?DataNode?.)

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "JanusGraph users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/janusgraph-users/H89MmjeW0uk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to janusgraph-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/janusgraph-users/3b9d20eb-ed32-4de9-a966-211ed8ffc4b5%40googlegroups.com.

[Jason Plurad]

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-17190

    * Mitigation: Enable authentication on any Spark standalone cluster that is not otherwise secured from unwanted access, for example by network-level restrictions. Use spark.authenticate and related security properties described at https://spark.apache.org/docs/latest/security.html
    * JanusGraph does not start a Spark cluster by default.

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
    * This CVE is an umbrella CVE over several CVEs against FasterXML jackson-databind, but it is filed against JBoss specifically.

    * JanusGraph does not package JBoss.

    * jackson-databind has been upgraded to 2.10.3 for various CVEs via https://github.com/JanusGraph/janusgraph/pull/1941 and https://github.com/JanusGraph/janusgraph/pull/2006

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-9518
    * Affected configurations listed are Apple Swift NIO and Apache Traffic Server.
    * JanusGraph does not package these components.

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
    * duplicate

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571
    * Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
    * The SocketServer is an optional component, and JanusGraph does not start it by default.

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
    * duplicate

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-16869
    * Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
    * Netty was updated to 4.1.45.Final last week via https://github.com/JanusGraph/janusgraph/pull/2003

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
    * duplicate

https://github.com/apache/hadoop/commit/5d1889a66d91608d34ca9411fb6e9161e637e9d3
    * not clear what CVE this is against