Student project SYSTEMDS-3878 improve docker security #2422
+5,037
−57
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…d document changes The file project_systemds-3878.md is a file to log the work that is done for the project and systemds-3878_summary-of-changes.md documents the modifications that will be made on the Dockerfiles.
…Dockerfile Add initial security scan results for the apache/systemds:latest image. Docker Scout identified 79 vulnerabilities (4 Critical, 29 High, 36 Medium, 9 Low) which will guide remediation efforts.
…ical vulnerability This commit fixes the Critical vulnerability of org.apache.zookeeper by updating the package from version 3.6.3 to 3.8.3. The package is backwards compatible and no build error have been identified from the change. The pom.xml file has been modified. Zookeeper is a transitive dependency used by spark-core and hadoop-common. Both use the vulnerable version of zookeeper. As such, the newer, less-vulnerable version has been explicitly imported and has been excluded from both other package to prevent them from using the older version. The sysds.Dockerfile file has been modified to make docker build from the filesystem rather than cloning from the latest git version that does not contain the changes. Spark-core and hadoop-common use a vulnerable version of zookeeper: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/3.3.6 https://mvnrepository.com/artifact/org.apache.spark/spark-core_2.12/3.5.0 This solution was implemented as spark-core and hadoop-common do not show high-severity vulnerabilities and updating spark-core from a major version would have required many refactoring.
This commit fixes the critical Apache Avro deserialization vulnerability identified by docker scout cves. The following changes have been made to pom.xml: - Added avro.version property (1.11.4) - Added dependencyManagement section to override transitive dependency Source: https://scout.docker.com/v/CVE-2024-47561
This commit fixes the critical Apache Kerby LDAP Injection vulnerability identified by docker scout cves. The following changes have been made to pom.xml: - Added kerby.version property (2.0.3) - Added dependencyManagement section to override transitive dependency Source: https://scout.docker.com/v/CVE-2023-25613
[MINOR][SYSTEMDS-3878] Fix pom.xml vulnerability (CVE-2024-47561)
[MINOR][SYSTEMDS-3878] Fix pom.xml vulnerability (CVE-2023-25613)
There can only be one dependencyManagement tag in the pom.xml, solved by fusing the two tags.
This commit fixes the following vulnerability identified by docker scout cves: ch.qos.logback/logback-core. The following changes have been made on the pom.xml: version of zookeeper uped to 3.9.4; declare exlicit dependency of netty-handler.
fixed dependencyManagement error fixed vulnerabilities generated by zookeeper or its transitive dependencies
…dependencies This commit addresses multiple high-severity vulnerabilities by pinning transitive dependency versions in dependencyManagement: - CVE-2024-7254: protobuf-java 3.23.4 → 3.25.5 (CVSS 8.7) - CVE-2024-47554: commons-io → 2.14.0 (DoS vulnerability) - CVE-2023-1436: jettison → 1.5.4 (Stack overflow) - CVE-2023-43642: snappy-java → 1.1.10.4 (Multiple CVEs) - CVE-2023-6378: logback → 1.2.13 (Deserialization) - CVE-2025-52999: jackson-core → 2.15.0 (Stack overflow) - CVE-2023-1370: json-smart → 2.4.9 (Stack overflow) - CVE-2023-52428: nimbus-jose-jwt → 9.37.4 (Resource consumption) - CVE-2024-36114: aircompressor → 0.27 (Out-of-bounds read)
…e dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for: - Netty 4.x components (4.1.124.Final): CVE-2025-55163, CVE-2023-44487 - Jetty components (9.4.57.v20241219): CVE-2024-6763 - xnio-api (3.8.14.Final): CVE-2023-5685 - commons-beanutils (1.11.0): CVE-2025-48734 - dnsjava (3.6.0): CVE-2024-25638 - protobuf-java (3.25.5): CVE-2024-7254
Fix/multiple high CVEs
…ive dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for: - org.eclipse.jetty/jetty-http@12.0.12 : CVE-2024-6763 - org.apache.commons/commons-compress@1.26.0 : CVE-2024-26308, CVE-2024-25710, CVE-2023-42503 - org.apache.commons/commons-configuration2@2.10.1 : CVE-2024-29133, CVE-2024-29131
…ive dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for: - org.apache.hadoop.thirdparty/hadoop-shaded-guava@1.5.0 - com.google.guava/guava@33.5.0-jre to solve CVE-2023-2976, CVE-2020-8908 Stays a CVE for com.google.guava/guava@14.0.1
…ive dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for io.netty: - netty-codec-http - netty-codec-smtp - netty-codec upgraded to version 4.1.129.Final to solve the following vulnerabilities: CVE-2025-67735, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419
…ive dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for org.apache.logging.log4j/log4j-core upgraded to version 2.25.3 to solve CVE-2025-68161
…ive dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for: - org.apache.commons/commons-lang3@3.18.0: CVE-2025-48924 - org.apache.spark/spark-network-common_2.12@3.5.2: CVE-2025-55039
…ive dependencies This patch extends the security fixes for multiple high-severity CVEs by adding version overrides in dependencyManagement for additional vulnerable transitive dependencies. New version properties and dependencyManagement entries added for: - org.apache.hadoop/hadoop-common@3.4.2: CVE-2024-23454: Improper Privilege Management Version 3.4.0 is enough for CVE-2024-23454, but generates two other CVEs which don't happen with upgraded version 3.4.2
…tive dependencies
This patch extends the security fixes for critical-severity CVE by adding version overrides in pom.xml for vulnerable transitive dependencies.
org.apache.hadoop/hadoop-hdfs : upgraded to 3.4.2 which doesn't use io.netty/netty anymore
related package: io.netty/netty@3.10.6.Final
critical 9.1: CVE--2019--20444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
and other CVEs
Imports for netty packages change from `org.jboss.netty.*` to `io.netty.*`.
Fix/medium cves
Fix critical-severity CVE io.netty/netty
This patch fixes security vulnerabilities in the Alpine Linux base image by upgrading vulnerable system packages in docker/sysds.Dockerfile. Fixed CVEs (openssl): - CVE-2025-9230 (High): upgraded to 3.3.5-r0 - CVE-2025-9231 (Medium): upgraded to 3.3.5-r0 - CVE-2025-9232 (Medium): upgraded to 3.3.5-r0 Fixed CVEs (busybox): - CVE-2025-46394: upgraded from 1.36.1-r29 to 1.36.1-r31 - CVE-2024-58251: upgraded from 1.36.1-r29 to 1.36.1-r31 Unfixable CVEs (no upstream patch available): - CVE-2025-60876 (busybox): Not Fixed by Alpine - CVE-2026-22184 (zlib): Not Fixed by Alpine - CVE-2025-62813 (lz4): Not Fixed by Alpine Also added exclusions in pom.xml for guava, jackson, and jetty transitive dependencies from Spark/Hadoop to use managed versions.
[MINOR][SYSTEMDS-3878] Fix Alpine APK CVEs in Docker image This patch fixes security vulnerabilities in the Alpine Linux base image by upgrading vulnerable system packages in docker/sysds.Dockerfile. Fixed CVEs (openssl): CVE-2025-9230 (High): upgraded to 3.3.5-r0 CVE-2025-9231 (Medium): upgraded to 3.3.5-r0 CVE-2025-9232 (Medium): upgraded to 3.3.5-r0 Fixed CVEs (busybox): CVE-2025-46394: upgraded from 1.36.1-r29 to 1.36.1-r31 CVE-2024-58251: upgraded from 1.36.1-r29 to 1.36.1-r31 Unfixable CVEs (no upstream patch available): CVE-2025-60876 (busybox): Not Fixed by Alpine CVE-2026-22184 (zlib): Not Fixed by Alpine CVE-2025-62813 (lz4): Not Fixed by Alpine Also added exclusions in pom.xml for guava, jackson, and jetty transitive dependencies from Spark/Hadoop to use managed versions.
Add UNFIXED_VULNERABILITIES.md explaining remaining security vulnerabilities that cannot be resolved due to upstream constraints.
Empty lines were removed with formatting and indenting
[DOC][SYSTEMDS-3878] Document unfixed CVEs in Docker image
[MINOR][SYSDS-3878] Rebase apache/systemds:latest into fork
Create docker/SYSTEMDS-3878/ folder structure to document all security fix work with the following subfolders: - scan-before-fixes/: Initial Docker Scout vulnerability scan - scan-after-fixes/: Final vulnerability scan after fixes - summary-of-changes/: Detailed changelog with git commit history - unfixed-vulnerabilities/: Documentation of remaining CVEs Added complete git commit history to summary-of-changes/README.md
during the rebase, two <plugin> tags created errors in the pom.xml
…olve github action
Created a github compare link between the oldest and newest commits.
… links for navigation
pull from github latest to build container. fixed number of vulnerabilities left.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
documentation has been written in
docker/SYSTEMDS-3878/withREADME.mdas the main file.To solve vulnerabilities, dependencies have been upgraded in the
pom.xmland insysds.Dockerfile.The image build correctly by
calling docker/build.shSome vulnerabilities are left, but should be isolated and harmless.
Most github actions are successful.