Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NC Solutions report usage of commons-text:1.6.0 having critical vulnerability #16427

Open
arunaryasomayajula opened this issue Oct 18, 2024 · 0 comments
Open

NC Solutions report usage of commons-text:1.6.0 having critical vulnerability #16427

arunaryasomayajula opened this issue Oct 18, 2024 · 0 comments
Assignees
@valenad1
Labels
bug cust-ncsolutions Neilsen Catalina Solutions reporter-support Reported as a support issue by cuetomer Security Vulnerability

Comments

@arunaryasomayajula
Copy link

H2O version, Operating System and Environment
H2O3 v3.33.1.5394 nightly build

Actual behavior
Specifically, it was complaining that the apache commons-text 1.6 was being used which supposedly has a security issue. After digging around I found that the issue was actually some content in an embedded META-INF directory of the h2o jar. I was able to manually kludge together a fix and rebuild the jar so it passed the test. Specifically:

  1. Unzip the h2o.jar to expand the contents
  2. In the www/3 subdirectory is h2o-genmodel.jar, unzip that
  3. the META-INF directory for h2o-genmodel.jar has a maven subdirectory
  4. In that maven subdirectory there is org.apache.commons subdir which has commons-lang3 and commons-text subdirs
  5. I removed the commons-text subdir and rebundled everything.

It looks like the h2o.jar was mentioning commons-text in the META-INF directory and that was causing snowflake's security scan to complain that commons-text 1.6 was being used.
I didn't see any actual java classes of commons-text in the jar file anywhere so this META-INF commons-text directory may have just been an old artifact.

Anyway, as you know we have been very careful not to change the base h2o version we've been using.
We are currently using
3.33.1.5394 from http://h2o-release.s3.amazonaws.com/h2o/master/5394/maven/repo/

which I believe had some log4j patch.

Can h2o confirm that commons-text 1.6 classes arent actually used (just that META-INF artifact) and cut a new h2o version based on 3.33.1.5394 with just the small above fix
so we can have our new official binary that will work in Snowflake?

Expected behavior
Patch apache common-text-1.6.0 to common-text-1.10.0 and rebuild the image for H2O3 3.33.1+ and share with customer

Steps to reproduce
Steps to reproduce the behavior (with working code on a sample dataset, if possible):

  1. Do this
  2. Do that
  3. Do something else
  4. See error

Upload logs
If you can, please upload the H2O logs. More information on how to do that is available here, or you can use the h2o.downloadAllLogs() in R or the h2o.download_all_logs() function in Python.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@arunaryasomayajula arunaryasomayajula added bug Security Vulnerability reporter-support Reported as a support issue by cuetomer cust-ncsolutions Neilsen Catalina Solutions labels Oct 18, 2024
@valenad1 valenad1 self-assigned this Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@valenad1 valenad1

Labels
bug cust-ncsolutions Neilsen Catalina Solutions reporter-support Reported as a support issue by cuetomer Security Vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valenad1 @arunaryasomayajula