Update derby to 10.14.2.0
Assignee
Reporter
Sprint
Description
Steps to reproduce
Activity
Filip Vaško February 24, 2021 at 9:03 AMEdited
Testing.
OK on release-CLO-20354 #8:
:check_mark: Derby version 10.14.2.0 is present in the built artifacts
:check_mark: job security-audit-server-CLO-20354 no longer reports derby as vulnerable
:check_mark: server with Derby DB as a system DB
:check_mark: profiler with Derby as a system DB
:check_mark: Designer runtime
:check_mark: Derby connection in the graph
:check_mark: profiler in the Designer
:warning: ImportExportDashboardTest.testDashboardRemoveItems failed in the latest VTE matrix run due to a deadlock - caused by CLO-20258; that's an older issue though and is not related to the update
Closing.
Filip Reichman February 15, 2021 at 9:55 AM
Updated to 10.14.2.0.
QA: please check:
server with Derby DB as a system DB
profiler with Derby as a system DB
Designer runtime - it uses Derby as a system DB
Derby connection in the graph
profiler in the Designer (default DB is Derby)
Filip Reichman February 12, 2021 at 1:12 PM
REST container in the Profiler is scanning all classes on the classpath. The exception is thrown when the new Derby libraries are scanned. But we don't need to scan these libraries.
Restricted scanning only on our package (com.cloveretl.profiler.server).
Filip Reichman February 12, 2021 at 8:30 AM
RestServlet in the Profiler cannot be initialized:
java.lang.ArrayIndexOutOfBoundsException: 17244
org.objectweb.asm.ClassReader.<init>(Unknown Source)
org.objectweb.asm.ClassReader.<init>(Unknown Source)
org.objectweb.asm.ClassReader.<init>(Unknown Source)
com.sun.jersey.spi.scanning.AnnotationScannerListener.onProcess(AnnotationScannerListener.java:133)
com.sun.jersey.core.spi.scanning.JarFileScanner.scan(JarFileScanner.java:97)
com.sun.jersey.spi.scanning.WebAppResourcesScanner$1.f(WebAppResourcesScanner.java:94)
com.sun.jersey.core.util.Closing.f(Closing.java:71)
com.sun.jersey.spi.scanning.WebAppResourcesScanner.scan(WebAppResourcesScanner.java:92)
com.sun.jersey.spi.scanning.WebAppResourcesScanner.scan(WebAppResourcesScanner.java:79)
com.sun.jersey.api.core.ScanningResourceConfig.init(ScanningResourceConfig.java:80)
com.sun.jersey.api.core.WebAppResourceConfig.init(WebAppResourceConfig.java:100)
com.sun.jersey.api.core.WebAppResourceConfig.<init>(WebAppResourceConfig.java:87)
com.sun.jersey.api.core.WebAppResourceConfig.<init>(WebAppResourceConfig.java:72)
com.sun.jersey.spi.container.servlet.WebComponent.getWebAppResourceConfig(WebComponent.java:672)
com.sun.jersey.spi.container.servlet.ServletContainer.getDefaultResourceConfig(ServletContainer.java:414)
com.sun.jersey.spi.container.servlet.ServletContainer.getDefaultResourceConfig(ServletContainer.java:581)
com.sun.jersey.spi.container.servlet.WebServletConfig.getDefaultResourceConfig(WebServletConfig.java:87)
com.sun.jersey.spi.container.servlet.WebComponent.createResourceConfig(WebComponent.java:703)
com.sun.jersey.spi.container.servlet.WebComponent.createResourceConfig(WebComponent.java:678)
com.sun.jersey.spi.container.servlet.WebComponent.init(WebComponent.java:203)
com.sun.jersey.spi.container.servlet.ServletContainer.init(ServletContainer.java:373)
com.sun.jersey.spi.container.servlet.ServletContainer.init(ServletContainer.java:556)
javax.servlet.GenericServlet.init(GenericServlet.java:158)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:748)Filip Reichman February 6, 2021 at 9:08 AM
It seems there is an issue in the profiler, there are many failing tests: https://linda.javlin.eu/jenkins/view/clo-x/view/CLO-20354-Security-updates/job/cloveretl.server-vte-test-custom-CLO-20354/1/
Details
Details
Story Points
Priority
Major
Update derby-related dependencies:
org.apache.derby:derbyorg.apache.derby:derbyclientPreviously used version
10.11.1.1
Vulnerabilities
CVE-2015-1832: CRITICAL - XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
CVE-2018-1313: MEDIUM - In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Aderby&cpe_version=cpe%3A%2F%3Aapache%3Aderby%3A10.11.1.1