Skip to content

[AMBARI-23093] Eliminated the org.apache.zookeeper:zookeeper dependency due to security concerns #493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adoroszlai merged 2 commits into from
Mar 1, 2018
Merged

[AMBARI-23093] Eliminated the org.apache.zookeeper:zookeeper dependency due to security concerns #493

adoroszlai merged 2 commits into from
Mar 1, 2018

Conversation

@smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Feb 28, 2018
edited
Loading

What changes were proposed in this pull request?

Per CVE-2016-5017

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.

Per CVE-2017-5637

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

So that I eliminated org.apache.zookeper:zookeeper from ambari-server's build (it was never directly referenced; it's been a transitive dependency). However I needed to add a direct dependency of jline:jline (we already have a managed version of this library in ambari-project).

How was this patch tested?

After updating the affected pom.xml files I've done the following:

1.) Checking Maven's dependency resolution:

ambari-server smolnar$ mvn dependency:tree -Dverbose=true -Dincludes=*zookeeper*

[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] Building Ambari Server 2.6.1.0.0
[INFO] ------------------------------------------------------------------------
[INFO] 
[[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.828 s
[INFO] Finished at: 2018-02-27T14:52:46+01:00
[INFO] Final Memory: 46M/1213M
[INFO] ------------------------------------------------------------------------

2.) I executed mvn clean test in ambari-server:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 37:34 min
[INFO] Finished at: 2018-02-27T15:31:13+01:00
[INFO] Final Memory: 189M/1723M
[INFO] ------------------------------------------------------------------------

3.) In addition to this; I replaced the content of usr/lib/ambari-server in my vagrant host with the content from ambari-server/target/ambari-server-2.6.0.0.0-dist/usr/lib/ambari-server (where there was no zookeeper.jar) and restarted the server; logged in and did some actions (in this case I added created a cluster (HDFS only) via blueprints and then added Zookeeper); there were no any issues.

@smolnar82
Copy link
Contributor Author

smolnar82 commented Feb 28, 2018

@rlevas @zeroflag @dlysnichenko @adoroszlai Please review this PR; thanks!

@asfgit
Copy link

asfgit commented Feb 28, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/860/
Test PASSed.

@adoroszlai adoroszlai mentioned this pull request Feb 28, 2018
Merged
adoroszlai
adoroszlai approved these changes Feb 28, 2018
View reviewed changes
ambari-server/pom.xml
</dependency>
<dependency>
<groupId>jline</groupId>
<artifactId>jline</artifactId>
Copy link
Contributor

@adoroszlai adoroszlai Feb 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This no longer needs to be added.

Copy link
Contributor Author

@smolnar82 smolnar82 Feb 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will remove it from trunk version

ambari-server/pom.xml Outdated
<exclusions>
<exclusion>
<groupId>org.apache.curator</groupId>
<artifactId>curator-framework</artifactId>
Copy link
Contributor

@adoroszlai adoroszlai Feb 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spacing seems wrong here.

ambari-server/pom.xml Outdated
<exclusions>
<exclusion>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
Copy link
Contributor

@adoroszlai adoroszlai Feb 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spacing.

ambari-server/pom.xml Outdated
<exclusions>
<exclusion>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
Copy link
Contributor

@adoroszlai adoroszlai Feb 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spacing.

@smolnar82
Copy link
Contributor Author

smolnar82 commented Feb 28, 2018

Can someone please merge it? Thanks!

@smolnar82 smolnar82 changed the title AMBARI-23093. Eliminated the org.apache.zookeeper:zookeeper dependency due to security concerns [AMBARI-23093] Eliminated the org.apache.zookeeper:zookeeper dependency due to security concerns Feb 28, 2018
@smolnar82
Copy link
Contributor Author

smolnar82 commented Feb 28, 2018

Thanks @adoroszlai!

@asfgit
Copy link

asfgit commented Mar 1, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/878/
Test PASSed.

@adoroszlai adoroszlai merged commit ccd31b6 into apache:branch-2.6 Mar 1, 2018
@smolnar82 smolnar82 deleted the AMBARI-23093 branch March 1, 2018 08:20
@smolnar82 smolnar82 mentioned this pull request Mar 4, 2018
Merged
mpapirkovskyy pushed a commit to mpapirkovskyy/ambari that referenced this pull request Apr 12, 2019
@smolnar82 @adoroszlai
AMBARI-23093. Eliminated the org.apache.zookeeper:zookeeper dependenc…
a7edd77 
…y due to security concerns (apache#493)

(cherry picked from commit ccd31b6)

Change-Id: I4cfa6952e737dedc44b840145f4971d396f19f18
@mariasnyk mariasnyk mentioned this pull request Nov 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@adoroszlai adoroszlai adoroszlai approved these changes

@rlevas rlevas rlevas approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@smolnar82 smolnar82

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@smolnar82 @asfgit @adoroszlai @rlevas