Giters

apache / celeborn

Apache Celeborn is an elastic and high-performance service for shuffle and spilled data.

Home Page:https://celeborn.apache.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Dependency org.yaml:snakeyaml, leading to CVE problem

CVEDetect opened this issue · comments

commented

Hi, In /common,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
org.apache.celeborn.common.network.client.TransportResponseHandler: failExpiredPushRequest()V /.m2/repository/io/netty/netty-codec-redis/4.1.77.Final/netty-codec-redis-4.1.77.Final.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /.m2/repository/io/netty/netty-codec-redis/4.1.77.Final/netty-codec-redis-4.1.77.Final.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/io/netty/netty-codec-redis/4.1.77.Final/netty-codec-redis-4.1.77.Final.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/io/netty/netty-codec-redis/4.1.77.Final/netty-codec-redis-4.1.77.Final.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] org.apache.celeborn:celeborn-common_2.12:jar:0.3.0-SNAPSHOT
[INFO] +- org.apache.ratis:ratis-common:jar:2.4.1:compile
[INFO] |  +- org.apache.ratis:ratis-thirdparty-misc:jar:1.0.3:compile
[INFO] |  \- org.apache.ratis:ratis-proto:jar:2.4.1:compile
[INFO] +- org.apache.ratis:ratis-client:jar:2.4.1:compile
[INFO] +- io.dropwizard.metrics:metrics-core:jar:3.2.6:compile
[INFO] +- io.dropwizard.metrics:metrics-graphite:jar:3.2.6:compile
[INFO] +- io.dropwizard.metrics:metrics-jvm:jar:3.2.6:compile
[INFO] +- org.yaml:snakeyaml:jar:1.30:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.36:compile
[INFO] +- commons-io:commons-io:jar:2.8.0:compile
[INFO] +- org.apache.commons:commons-crypto:jar:1.0.0:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.10:compile
[INFO] +- io.netty:netty-all:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-dns:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-haproxy:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-memcache:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-mqtt:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-redis:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-smtp:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-socks:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-stomp:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-codec-xml:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-resolver:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-resolver-dns:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-rxtx:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-sctp:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-udt:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-classes-epoll:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-native-unix-common:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-classes-kqueue:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-resolver-dns-classes-macos:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.77.Final:runtime
[INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-aarch_64:4.1.77.Final:runtime
[INFO] |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.77.Final:runtime
[INFO] |  +- io.netty:netty-transport-native-kqueue:jar:osx-aarch_64:4.1.77.Final:runtime
[INFO] |  +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.77.Final:runtime
[INFO] |  \- io.netty:netty-resolver-dns-native-macos:jar:osx-aarch_64:4.1.77.Final:runtime
[INFO] +- org.fusesource.leveldbjni:leveldbjni-all:jar:1.8:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] +- com.google.guava:guava:jar:14.0.1:compile
[INFO] +- com.google.protobuf:protobuf-java:jar:3.19.2:compile
[INFO] +- org.scala-lang:scala-library:jar:2.12.15:compile
[INFO] +- org.scala-lang:scala-reflect:jar:2.12.15:compile
[INFO] +- org.apache.hadoop:hadoop-client-api:jar:3.2.1:compile
[INFO] +- org.apache.hadoop:hadoop-client-runtime:jar:3.2.1:compile
[INFO] |  +- org.apache.htrace:htrace-core4:jar:4.1.0-incubating:runtime
[INFO] |  \- commons-logging:commons-logging:jar:1.1.3:runtime
[INFO] +- org.roaringbitmap:RoaringBitmap:jar:0.9.32:compile
[INFO] |  \- org.roaringbitmap:shims:jar:0.9.32:runtime
[INFO] +- org.mockito:mockito-core:jar:1.10.19:test
[INFO] |  +- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] |  \- org.objenesis:objenesis:jar:2.1:test
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.2:test
[INFO] |  +- org.apache.logging.log4j:log4j-api:jar:2.17.2:test
[INFO] |  \- org.apache.logging.log4j:log4j-core:jar:2.17.2:test
[INFO] +- org.apache.logging.log4j:log4j-1.2-api:jar:2.17.2:test
[INFO] +- junit:junit:jar:4.12:test
[INFO] \- org.scalatest:scalatest_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-core_2.12:jar:3.2.3:test
[INFO]    |  +- org.scalatest:scalatest-compatible:jar:3.2.3:test
[INFO]    |  +- org.scalactic:scalactic_2.12:jar:3.2.3:test
[INFO]    |  \- org.scala-lang.modules:scala-xml_2.12:jar:1.2.0:test
[INFO]    +- org.scalatest:scalatest-featurespec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-flatspec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-freespec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-funsuite_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-funspec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-propspec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-refspec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-wordspec_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-diagrams_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-matchers-core_2.12:jar:3.2.3:test
[INFO]    +- org.scalatest:scalatest-shouldmatchers_2.12:jar:3.2.3:test
[INFO]    \- org.scalatest:scalatest-mustmatchers_2.12:jar:3.2.3:test

Suggested solutions:

Update dependency snakeyaml.version to 1.33

Thank you very much.