Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Log4j 1.x is bundled with the Ranger extension #14454

Closed
BartMiki opened this issue Jun 20, 2023 · 0 comments · Fixed by #15363
Closed

Vulnerable Log4j 1.x is bundled with the Ranger extension #14454

BartMiki opened this issue Jun 20, 2023 · 0 comments · Fixed by #15363
Labels
Uncategorized problem report

Comments

@BartMiki
Copy link
Contributor

Affected Version

  • 25.0.0
  • 26.0.0
  • 27.0.0-SNAPSHOT

Description

Current builds of Apache Druid in versions 25.0.0, 26.0.0, and the newest snapshot, are using Ranger dependency in version 2.0.0. This however has a transient dependency on log4j 1.27 which is extremely vulnerable.

The presence of log4j 1.x raises vulnerability alerts in automatic builds in one of our clients.

There is an inactive issue with a similar problem #9629, but we created this issue as we only want to update the Ranger extension.

We already created a fork of the extension in our repo for Druid 25.0.0 and 26.0.0. We would like to contribute this change to the Druid source directly for all new versions of the Druid.

There may be a problem as the new Ranger dependency is heavy. It depends on an Amazon library with a jar size of 200 MB. Looking at this issue #11125 it may be a problem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Uncategorized problem report
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Patched security vulnerability by updating Ranger libraries to the ne… vivek807/druid
1 participant
@BartMiki