exasol / azure-blob-storage-document-files-virtual-schema Goto Github PK

Summary

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

CVE: CVE-2024-29133
CWE: CWE-787

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-29133?component-type=maven&component-name=org.apache.commons%2Fcommons-configuration2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29133
• https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2

Uploading of the regression test result has changed. We need to adapt to the new process.

Summary

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

CVE: CVE-2024-25710
CWE: CWE-835

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-25710?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25710
• https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf

IntegrationTestSetup.java sets constant values for DEBUG_ADDRESS and LOG_LEVEL.

if (System.getProperty("test.vs-logs", "false").equals("true")) {
   properties.put("DEBUG_ADDRESS", "127.0.0.1:3001");

See exasol/virtual-schema-common-document#155

Summary

dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.

CVE: CVE-2024-25638
CWE: CWE-345

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-25638?component-type=maven&component-name=dnsjava%2Fdnsjava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25638
• GHSA-cfxw-4h78-h7fw

Summary

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

CVE: CVE-2024-29131
CWE: CWE-787

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-29131?component-type=maven&component-name=org.apache.commons%2Fcommons-configuration2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29131
• https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37
• GHSA-xjp4-hw94-mvp5

See log messages from build job Dependency Check

• org.xerial.snappy:snappy-java:jar:1.1.8.3 in compile
  • CVE-2023-34453, severity CWE-190: Integer Overflow or Wraparound (7.5)
  • CVE-2023-34454, severity CWE-190: Integer Overflow or Wraparound (7.5)
  • CVE-2023-34455, severity CWE-770: Allocation of Resources Without Limits or Throttling (7.5)
• io.netty:netty-handler:jar:4.1.89.Final in compile
  • CVE-2023-34462, severity CWE-770: Allocation of Resources Without Limits or Throttling (6.5)

Excluded vulnerabilities:

• [CVE-2020-36641] CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2020-36641?component-type=maven&component-name=fr.turri%2FaXMLRPC&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

Summary

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.

CVE: CVE-2024-36114
CWE: CWE-125

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-36114?component-type=maven&component-name=io.airlift%2Faircompressor&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36114
• GHSA-973x-65j7-xcf4

First version of azure blob storage virtual schema.

• Run regression tests and check results
• Make sure that you create a ci-isolation user and add the credentials to this github repo

Summary

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

CVE: CVE-2024-29025
CWE: CWE-770

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-29025?component-type=maven&component-name=io.netty%2Fnetty-codec-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29025
• GHSA-5jpm-x58v-624v

Summary

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

CVE: CVE-2023-52428
CWE: CWE-400

References

• https://ossindex.sonatype.org/vulnerability/CVE-2023-52428?component-type=maven&component-name=com.nimbusds%2Fnimbus-jose-jwt&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52428
• https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/

With version 9.0.0 it's part of virtual-schema-common-document

IntegrationTestSetup.getHostOverride() currently returns Optional<String> and contains some logic to extract hostname and port from a string.

Proposal

• Keep hostname and port separate as long as possible
• Avoid Optional in AbsTestSetup.getHostOverride() and IntegrationTestSetup.getHostOverride().
• Add and use method AbsTestSetup.makeTcpServiceAccessibleFromDatabase(LocalServiceExposer exposer)

Upgrade to https://github.com/exasol/virtual-schema-common-document-files/releases/tag/8.1.0 (exasol/virtual-schema-common-document-files#163) to add support for configuring column name conversion for automatic mapping inference.

Situation

We introduce nanosecond precision in virtual-schema-common-document.

This needs to be propagated to Azure Blob Storage Document Files Virtual Schema by updating the dependency.

Dependencies

• exasol/virtual-schema-common-document#186
• exasol/virtual-schema-common-document#187
• exasol/virtual-schema-common-document#188

Acceptance Criteria

• An integration test (coming from VSCD) proves that TS(9) is supported with CSV files
• An integration test (coming from VSCD) proves that TS(9) is supported with JSON files
• An integration test (coming from VSCD) proves that TS(9) is supported with Parquet files

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

CVE: CVE-2024-26308
CWE: CWE-770

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-26308?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26308
• https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg
• https://www.openwall.com/lists/oss-security/2024/02/19/2

Auto inference for CSV files was implemented in exasol/virtual-schema-common-document-files#131 and exasol/virtual-schema-common-document-files#130 / virtual-schema-common-document-files 7.3.0.

In exasol/virtual-schema-common-document-files#135 we updated performance regresson tests to use CSV data types. Now e need to upgrade https://github.com/exasol/virtual-schema-common-document-files to version 7.1.3.