Security vulnerabilities in the apache/bookkeeper-4.9.2 image

[padma81]

BUG REPORT
A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image.

Component	Current Version	CVE	Severity	Version to be upgraded to	References
Apache log4j	1.2.17	CVE-2017-5645	CRITICAL	2.8.2	https://nvd.nist.gov/vuln/detail/CVE-2017-5645
Apache log4j	1.2.17	CVE-2019-17571	CRITICAL	2.8.2	https://nvd.nist.gov/vuln/detail/CVE-2019-17571 https://logging.apache.org/log4j/1.2/index.html
Java Platform Standard Edition (JRE) (J2RE)	8u102	CVE-2016-5556	CRITICAL	8u241
Java Platform Standard Edition (JRE) (J2RE)	8u102	CVE-2016-5568	CRITICAL	8u241
Java Platform Standard Edition (JRE) (J2RE)	8u102	CVE-2016-5582	CRITICAL	8u241
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	9.4.5.v20170502	CVE-2017-7657	CRITICAL	9.4.11	https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	9.4.5.v20170502	CVE-2017-7658	CRITICAL	9.4.11	https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	9.4.5.v20170502	CVE-2018-12538	CRITICAL	9.4.11	https://www.eclipse.org/jetty/security-reports.html
Netty Project	3.10.1.Final	CVE-2019-20444	CRITICAL	4.1.44.Final	netty/netty#9866 https://github.com/netty/netty/milestone/218?closed=1
Netty Project	3.10.1.Final	CVE-2019-20445	CRITICAL	4.1.44.Final	netty/netty#9861 https://github.com/netty/netty/milestone/218?closed=1
OpenLDAP	2.4.44	CVE-2019-13565	HIGH	2.4.48	https://access.redhat.com/security/cve/CVE-2019-13565 https://bugzilla.redhat.com/show_bug.cgi?id=1730477 https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Python programming language	2.7.5	CVE-2018-14647	HIGH	2.7.5-86.el7.x86_64	https://access.redhat.com/security/cve/CVE-2018-14647 https://access.redhat.com/errata/RHSA-2019:2030
Python programming language	2.7.5	CVE-2019-10160	CRITICAL	2.7.5-80.el7_6.x86_64	https://access.redhat.com/security/cve/CVE-2019-10160 https://access.redhat.com/errata/RHSA-2019:1587
Python programming language	2.7.5	CVE-2019-16056	HIGH	2.7.5-88.el7.x86_64	https://access.redhat.com/security/cve/CVE-2019-16056 https://access.redhat.com/errata/RHSA-2020:1131
Python programming language	2.7.5	CVE-2019-5010	HIGH	2.7.5-86.el7.x86_64	https://access.redhat.com/security/cve/CVE-2019-5010 https://access.redhat.com/errata/RHSA-2019:2030
Python programming language	2.7.5	CVE-2019-9948	CRITICAL	2.7.5-86.el7	https://access.redhat.com/security/cve/CVE-2019-9948 https://access.redhat.com/errata/RHSA-2019:2030
avahi	0.6.31	CVE-2017-6519	CRITICAL	0.6.31-20.el7.x86_64	https://access.redhat.com/security/cve/CVE-2017-6519 https://access.redhat.com/errata/RHSA-2020:1176
elfutils	0.176	CVE-2018-16402	CRITICAL	0.176-2.el7	https://access.redhat.com/security/cve/CVE-2018-16402 https://access.redhat.com/errata/RHSA-2019:2197
jackson-databind	2.9.7	CVE-2018-19360	CRITICAL	2.9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-19360 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind	2.9.7	CVE-2018-19361	CRITICAL	2.9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-19361 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind	2.9.7	CVE-2018-19362	CRITICAL	2.9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-19362 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind	2.9.7	CVE-2019-14379	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14379 FasterXML/jackson-databind#2387
jackson-databind	2.9.7	CVE-2019-14540	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14540 FasterXML/jackson-databind#2410
jackson-databind	2.9.7	CVE-2019-14892	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14892 FasterXML/jackson-databind#2462
jackson-databind	2.9.7	CVE-2019-14893	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14893 FasterXML/jackson-databind#2469
jackson-databind	2.9.7	CVE-2019-16335	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-16942 FasterXML/jackson-databind#2478
jackson-databind	2.9.7	CVE-2019-16942	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-16942 FasterXML/jackson-databind#2478
jackson-databind	2.9.7	CVE-2019-16943	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-16943 FasterXML/jackson-databind#2478
jackson-databind	2.9.7	CVE-2019-17267	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-17267 FasterXML/jackson-databind#2460
jackson-databind	2.9.7	CVE-2019-17531	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-17531 FasterXML/jackson-databind#2498
jackson-databind	2.9.7	CVE-2019-20330	CRITICAL	2.9.10.2	https://nvd.nist.gov/vuln/detail/CVE-2019-20330 FasterXML/jackson-databind#2526
jackson-databind	2.9.7	CVE-2020-8840	CRITICAL	2.9.10.3	https://nvd.nist.gov/vuln/detail/CVE-2020-8840 FasterXML/jackson-databind#2620
systemd	219	CVE-2018-15686	CRITICAL	219-67.el7_7.4	https://access.redhat.com/security/cve/CVE-2018-15686 https://access.redhat.com/errata/RHSA-2019:2091
systemd-libs	219	CVE-2018-15686	CRITICAL	219-67.el7_7.4	https://access.redhat.com/security/cve/CVE-2018-15686 https://access.redhat.com/errata/RHSA-2019:2091

Steps to reproduce the behavior:

1. Scan the apache/bookkeeper:4.9.2 with the help of a security scanner.

Expected behavior
The scanner should not report any vulnerabilities, that are already fixed.

Screenshots
NA

Additional context
NA

[padma81]

Even though, for Java, the upgraded version is mentioned as 8u241, it is better to to upgrade to the latest Java 8 security patch available.

[eolivelli]

In my opinion it is time to switch to JDK11 for 4.12.0

cc @ravisharda @sijie @jiazhai @merlimat

[sijie]

@eolivelli +1 from me. Although we also need to consider that Pulsar is using JDK8.

[jiazhai]

+1

[ravisharda]

Pravega also supports Java 8 as of now. Switching to Java 11 looks good to me, as long as it also continues to work with Java 8.

[padma81]

It would be really helpful if anyone could provide an update on this issue.

[eolivelli]

In my opinion we should work in these areas:

• update the base Docker image
• move to JDK11
• update jackson-databind dependencies
• Apache log4j comes from ZooKeeper project probably, but probably we could drop it
• update Netty to latest version

@nicoloboschi @Ghatage @mino181295 do you have time to pick up this items ? dependency upgrade / docker image upgrades

[eolivelli]

I am trying to upgrade to JDK11 here #2433

[Ghatage]

@eolivelli The requirement for netty is to be at 4.1.44-Final at the least.
It seems we are already at netty 4.1.50-Final which happened just a month ago so I think we are good on that for future releases. Should I backport these changes to branch-4.9?

Same with jackson-databind dependency.

Also what do you recommend for logging? We use SLF4J over log4j, and even the latest SLF4J is lagging behind at 1.7.30. I couldn't find the change log for the release either.

[eolivelli]

I am not sure we are going to cut new releases out of branch-4.9.
It is very old, probably it may have sense to update it on branch-4.10.

Btw if there is an interest in making this update let's do it.

[pjfanning]

would it be possible to remove the usage of log4j v1? - it is end-of-life and has numerous security issues that will not be fixed

[pjfanning]

#2816 seems to sort out log4j - but the latest official release (4.14.4) still has log4jv1 dependency (via slf4j-log4j12) - so maybe a new release is justified

https://repo1.maven.org/maven2/org/apache/bookkeeper/bookkeeper-server/4.14.4/bookkeeper-server-4.14.4.pom

[shoothzj]

@pjfanning I think we have already remove slf4j-log4j12 and update to java11. We can close this issue.