Hey team
We are updating the datahub images to 0.1...
# all-things-deploymentc
creamy-van-28626
07/10/2023, 8:25 AMHey team
We are updating the datahub images to 0.10.4 version but with that new vulnerabilities are introduced mostly in every image :
Guava, snappy Java and spring boot autoconfigure
What’s the impact of these ones and can we resolve that?
d
delightful-ram-75848
07/11/2023, 2:01 AM@orange-night-91387 might be able to speak to this!
o
orange-night-91387
07/11/2023, 7:30 PMDo you have a list of CVEs that are particularly concerning to you? If so we can try to prioritize those. I'm only seeing the snappy Java one on our end which is a high not a critical so it's not an immediate priority for us. That one is a DoS if intentionally malicious input is sent into a function that we do not appear to use directly so it is most likely not exploitable, but we will upgrade that dependency as a part of our regular security updates.
c
creamy-van-28626
07/12/2023, 9:27 AMYeah let me share the CVEs to you
creamy-van-28626
07/12/2023, 9:31 AMSnakeyaml: kafkasetup job : CVE-2022-1471
libx11: datahub-gms, frontend, mce and mae consumer and upgrade : CVE-2023-3138
Springbootautoconfigure: CVE- 2023-20883
Snappy Java : CVE-2023-34453,54,55
Guava: CVE-2023-2976
Cryptography: CVE-2023-0286
Perl: CVE-2023-31486
creamy-van-28626
07/18/2023, 2:24 PM@orange-night-91387 I have created the corresponding GitHub issues as well they all are in Triage. Can you provide sometime for these vulnerabilities?