NC Solutions report usage of commons-text:1.6.0 having critical vulnerability #16427
Labels
bug
cust-ncsolutions
Neilsen Catalina Solutions
reporter-support
Reported as a support issue by cuetomer
Security Vulnerability
H2O version, Operating System and Environment
H2O3 v3.33.1.5394 nightly build
Actual behavior
Specifically, it was complaining that the apache commons-text 1.6 was being used which supposedly has a security issue. After digging around I found that the issue was actually some content in an embedded META-INF directory of the h2o jar. I was able to manually kludge together a fix and rebuild the jar so it passed the test. Specifically:
It looks like the h2o.jar was mentioning commons-text in the META-INF directory and that was causing snowflake's security scan to complain that commons-text 1.6 was being used.
I didn't see any actual java classes of commons-text in the jar file anywhere so this META-INF commons-text directory may have just been an old artifact.
Anyway, as you know we have been very careful not to change the base h2o version we've been using.
We are currently using
3.33.1.5394 from http://h2o-release.s3.amazonaws.com/h2o/master/5394/maven/repo/
which I believe had some log4j patch.
Can h2o confirm that commons-text 1.6 classes arent actually used (just that META-INF artifact) and cut a new h2o version based on 3.33.1.5394 with just the small above fix
so we can have our new official binary that will work in Snowflake?
Expected behavior
Patch apache common-text-1.6.0 to common-text-1.10.0 and rebuild the image for H2O3 3.33.1+ and share with customer
Steps to reproduce
Steps to reproduce the behavior (with working code on a sample dataset, if possible):
Upload logs
If you can, please upload the H2O logs. More information on how to do that is available here, or you can use the
h2o.downloadAllLogs()
in R or theh2o.download_all_logs()
function in Python.Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: