2.0.10 Fixed vulnerabilities CVE-2024-47535 and CVE-2024-51504

This release fixes the following vulnerabilities:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.114.Final:provided

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
• GHSA-xq3w-v528-46rv

CVE-2024-51504 (CWE-290) in dependency org.apache.zookeeper:zookeeper:jar:3.9.2:provided

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-51504?component-type=maven&component-name=org.apache.zookeeper%2Fzookeeper&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-51504
• https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh

Security

• #50: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.114.Final:provided
• #48: Fixed vulnerability CVE-2024-51504 in dependency org.apache.zookeeper:zookeeper:jar:3.9.2:provided

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.1.2 to 24.2.0

Test Dependency Updates

• Updated com.fasterxml.jackson.core:jackson-core:2.18.0 to 2.18.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.17.1 to 3.17.3
• Added org.apache.commons:commons-lang3:3.17.0
• Updated org.junit.jupiter:junit-jupiter-api:5.11.2 to 5.11.3
• Updated org.junit.jupiter:junit-jupiter:5.11.2 to 5.11.3
• Updated org.testcontainers:junit-jupiter:1.20.2 to 1.20.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.4 to 3.2.7
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.7.0 to 3.10.1
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

2.0.9 Fixed vulnerability CVE-2024-47561 in org.apache.avro:avro:jar:1.11.3:provided, upgrade dependencies

This release upgrades current dependencies and fixes the following vulnerability:

CVE-2024-47561 (CWE-502) in dependency org.apache.avro:avro:jar:1.11.3:provided

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47561?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47561
• https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x

Security

• #44: CVE-2024-47561: org.apache.avro:avro:jar:1.11.3:provided

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.1.0 to 24.1.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.0 to 7.1.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
• Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
• Updated com.fasterxml.jackson.core:jackson-core:2.17.1 to 2.18.0
• Updated nl.jqno.equalsverifier:equalsverifier:3.16.1 to 3.17.1
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.junit.jupiter:junit-jupiter-api:5.10.2 to 5.11.2
• Updated org.junit.jupiter:junit-jupiter:5.10.2 to 5.11.2
• Updated org.mockito:mockito-core:5.12.0 to 5.14.2
• Updated org.mockito:mockito-junit-jupiter:5.12.0 to 5.14.2
• Updated org.testcontainers:junit-jupiter:1.19.8 to 1.20.2

2.0.8 Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided

This release fixes vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided which could lead to unbounded recursion.

Security

• #41: CVE-2024-7254: com.google.protobuf:protobuf-java:jar:3.19.6:provided

Dependency Updates

Compile Dependency Updates

• Removed io.netty:netty-all:4.1.111.Final
• Removed joda-time:joda-time:2.12.7
• Removed org.apache.avro:avro:1.11.3
• Removed org.apache.commons:commons-compress:1.26.2
• Removed org.apache.ivy:ivy:2.5.2
• Removed org.apache.zookeeper:zookeeper:3.9.2
• Removed org.codehaus.janino:janino:3.1.12
• Removed org.xerial.snappy:snappy-java:1.1.10.5

2.0.7 Test with Exasol v8

This release verifies that this project works with Exasol v8 by running integration tests with the latest Exasol Docker DB version.

Features

• #34: Added integration tests with Exasol v8

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.0.0 to 24.1.0
• Updated io.netty:netty-all:4.1.109.Final to 4.1.111.Final
• Updated org.apache.commons:commons-compress:1.26.1 to 1.26.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.0
• Updated com.fasterxml.jackson.core:jackson-core:2.17.0 to 2.17.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.8 to 3.16.1
• Updated org.mockito:mockito-core:5.11.0 to 5.12.0
• Updated org.mockito:mockito-junit-jupiter:5.11.0 to 5.12.0
• Updated org.testcontainers:junit-jupiter:1.19.7 to 1.19.8

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.2 to 4.3.3

2.0.6 CVE fix

Fixed CVE-2024-36114 in io.airlift:aircompressor (dependency of spark-sql).

Features

• #38: CVE-2024-36114: io.airlift:aircompressor:jar:0.25:provided

Dependency Updates

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.2
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.1 to 3.1.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.2 to 3.2.4
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.3 to 3.7.0
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121
• Updated org.sonatype.plugins:nexus-staging-maven-plugin:1.6.13 to 1.7.0

2.0.5 Fix CVEs in compile and test dependencies

This release fixes the following vulnerabilities in dependencies:

• CVE-2024-29025 in io.netty:netty-codec-http:jar:4.1.96.Final:provided
• CVE-2024-23080 in joda-time:joda-time:jar:2.12.5:provided
• CVE-2023-33546 in org.codehaus.janino:janino:jar:3.1.9:provided

Features

• #36: Fixed CVE-2024-23080
• #35: Fixed CVE-2024-29025

Dependency Updates

Compile Dependency Updates

• Added io.netty:netty-all:4.1.109.Final
• Added joda-time:joda-time:2.12.7
• Added org.codehaus.janino:janino:3.1.12

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.1 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.2.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.1.0 to 3.2.2
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

2.0.4: Fix CVE-2024-25710 and CVE-2024-26308 in compile dependency

This release fixes CVE-2024-25710 and CVE-2024-26308 in compile dependency org.apache.commons:commons-compress:1.24.0.

Security

• #30: Fixed CVE-2024-25710 in org.apache.commons:commons-compress:jar:1.24.0:compile
• #32: Fixed CVE-2024-26308 in org.apache.commons:commons-compress:jar:1.24.0:compile

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:7.1.20 to 24.0.0
• Updated org.apache.commons:commons-compress:1.24.0 to 1.26.1
• Updated org.apache.zookeeper:zookeeper:3.7.2 to 3.9.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.0 to 7.0.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.1 to 1.6.5
• Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.4
• Updated com.fasterxml.jackson.core:jackson-core:2.15.2 to 2.17.0
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.2 to 3.15.8
• Updated org.junit.jupiter:junit-jupiter-api:5.10.0 to 5.10.2
• Updated org.junit.jupiter:junit-jupiter:5.10.0 to 5.10.2
• Updated org.mockito:mockito-core:5.5.0 to 5.11.0
• Updated org.mockito:mockito-junit-jupiter:5.5.0 to 5.11.0
• Updated org.testcontainers:junit-jupiter:1.19.0 to 1.19.7

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.1 to 2.0.1
• Updated com.exasol:project-keeper-maven-plugin:2.9.16 to 4.2.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.2 to 3.6.3
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2

2.0.3: Update transitive dependencies to fix CVEs

Summary

Updated transitive dependencies to fix:

• zookeeper: CVE-2023-44981, severity CWE-639: Authorization Bypass Through User-Controlled Key (9.1)
• exasol-testcontainers: CVE-2023-4043, severity CWE-20: Improper Input Validation (7.5)
• arvo: CVE-2023-39410, severity CWE-502: Deserialization of Untrusted Data (7.5)

CVE-2023-4586 is silenced, as there is no fix at the moment.

Features

• #27: Fixed vulnerabilities in zookeeper, parsson, avro

Dependency Updates

Compile Dependency Updates

• Added org.apache.avro:avro:1.11.3
• Added org.apache.zookeeper:zookeeper:3.7.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.2 to 7.0.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 1.3.1
• Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 2.9.16
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.2
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.5.0 to 3.6.2
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.2
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.1
• Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

2.0.2: Update dependencies to fix CVEs

Summary

Update transitive dependencies to fix CVE-2023-42503, CVE-2023-43642, CVE-2022-46751 and CVE-2022-46751.

Security

• #23: Updated deps to fix CVE-2023-42503, CVE-2023-43642, CVE-2022-46751 and CVE-2022-46751

Dependency Updates

Compile Dependency Updates

• Added org.apache.commons:commons-compress:1.24.0
• Added org.apache.ivy:ivy:2.5.2
• Added org.xerial.snappy:snappy-java:1.1.10.5

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.1 to 6.6.2
• Updated com.exasol:hamcrest-resultset-matcher:1.6.0 to 1.6.1
• Updated com.exasol:test-db-builder-java:3.4.2 to 3.5.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.15 to 3.15.2
• Updated org.mockito:mockito-core:5.4.0 to 5.5.0
• Updated org.mockito:mockito-junit-jupiter:5.4.0 to 5.5.0
• Updated org.testcontainers:junit-jupiter:1.18.3 to 1.19.0

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:2.9.10 to 2.9.12
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.0

2.0.1: Added helper method to get key-value options pairs

Summary

This release adds a helper method to get key-value options pairs.

Refactorings

• #21: Added get method for key-value options pairs

Dependency Updates

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:2.9.9 to 2.9.10