Vulnerabilities in v0.40.0

KarthiAru · July 12, 2021, 3:54pm

Hello,

I scanned the docker image for the Metabase v0.40.0 using Sysdig and it identified 92 non-os vulnerabilities. How do I resolve this?

severity	vuln	package_name	package	fix
Medium	CVE-2015-1776	hadoop	hadoop-2.6.0	None
High	CVE-2015-5237	protobuf	protobuf-2.5.0	None
Medium	CVE-2016-5001	hadoop	hadoop-2.6.0	None
Critical	CVE-2017-15095	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2017-17485	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2017-18640	snakeyaml	snakeyaml-1.23	None
Critical	CVE-2017-7525	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-11307	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2018-11777	hive	hive-1.2.2	None
High	CVE-2018-12022	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2018-12023	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-1282	hive	hive-1.2.2	None
Low	CVE-2018-1284	hive	hive-1.2.2	None
Medium	CVE-2018-1314	hive	hive-1.2.2	None
Critical	CVE-2018-14718	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-14719	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-14720	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-14721	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-19360	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-19361	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-19362	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2018-20346	sqlite	sqlite-3.25.2	None
High	CVE-2018-20505	sqlite	sqlite-3.25.2	None
High	CVE-2018-20506	sqlite	sqlite-3.25.2	None
High	CVE-2018-5968	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2018-7489	jackson-databind	jackson-databind-2.7.8	None
Medium	CVE-2019-12384	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2019-13990	quartz	quartz-2.1.7	None
Critical	CVE-2019-14379	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2019-14439	jackson-databind	jackson-databind-2.7.8	None
Medium	CVE-2019-19645	sqlite	sqlite-3.25.2	None
Critical	CVE-2019-19646	sqlite	sqlite-3.25.2	None
Critical	CVE-2019-20330	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2020-10969	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2020-11655	sqlite	sqlite-3.25.2	None
Critical	CVE-2020-11656	sqlite	sqlite-3.25.2	None
Medium	CVE-2020-13434	sqlite	sqlite-3.25.2	None
Medium	CVE-2020-13435	sqlite	sqlite-3.25.2	None
High	CVE-2020-13630	sqlite	sqlite-3.25.2	None
Medium	CVE-2020-13631	sqlite	sqlite-3.25.2	None
Medium	CVE-2020-13632	sqlite	sqlite-3.25.2	None
Medium	CVE-2020-13956	httpclient	httpclient-4.5.10	None
Medium	CVE-2020-15358	sqlite	sqlite-3.25.2	None
Medium	CVE-2020-1926	hive	hive-1.2.2	None
High	CVE-2020-24164	nippy	nippy-2.14.0	None
High	CVE-2020-35490	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2020-35491	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2020-7226	cryptacular	cryptacular-1.1.3	None
Low	CVE-2020-9488	log4j	log4j-1.2.17	None
Critical	CVE-2020-9546	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2020-9547	jackson-databind	jackson-databind-2.7.8	None
Critical	CVE-2020-9548	jackson-databind	jackson-databind-2.7.8	None
High	CVE-2021-33712	saml	saml-2.0.0	None
High	VULNDB-106409	commons_beanutils	commons_beanutils-1.9.3	1.9.4
Medium	VULNDB-141671	wsgiref	wsgiref-0.1.2	None
Medium	VULNDB-147950	hadoop	hadoop-2.6.0	2.6.5 2.7.3
Low	VULNDB-149836	hadoop	hadoop-2.6.0	2.6.5 2.7.5
Medium	VULNDB-156369	hadoop	hadoop-2.6.0	2.7.0
High	VULNDB-156370	hadoop	hadoop-2.6.0	2.7.0
High	VULNDB-171100	commons_net	commons_net-3.6	None
Medium	VULNDB-173134	hadoop	hadoop-2.6.0	2.7.5 2.8.3 2.9.0 3.0.0
High	VULNDB-179825	hadoop	hadoop-2.6.0	2.7.7
High	VULNDB-182168	hadoop	hadoop-2.6.0	2.7.7 2.8.5 2.9.2 3.0.3 3.1.1
High	VULNDB-182169	hadoop	hadoop-2.6.0	2.7.7 2.8.5 2.9.2 3.0.3 3.1.1
Medium	VULNDB-197271	hadoop	hadoop-2.6.0	None
Medium	VULNDB-204803	jackson-databind	jackson-databind-2.7.8	2.9.9
High	VULNDB-205891	hadoop	hadoop-2.6.0	2.8.5 2.9.2 3.1.1
High	VULNDB-205935	sqlite	sqlite-3.25.2	3.28.0
Critical	VULNDB-207059	jackson-databind	jackson-databind-2.7.8	2.9.9.1
High	VULNDB-213103	sqlite	sqlite-3.25.2	3.30.0
High	VULNDB-214563	jackson-databind	jackson-databind-2.7.8	2.10.0 2.9.10.1
Critical	VULNDB-214760	hadoop	hadoop-3.1.1	2.8.5 2.9.2 3.1.2
Critical	VULNDB-220038	log4j	log4j-1.2.17	2.8.2
Critical	VULNDB-222902	sqlite	sqlite-3.25.2	3.31.0
High	VULNDB-223108	jackson-databind	jackson-databind-2.7.8	2.8.11.5 2.9.10.3
Medium	VULNDB-231016	woodstox	woodstox-5.2.1	5.3.0
Unknown	VULNDB-237497	hadoop	hadoop-3.1.1	3.1.4 3.2.1 3.3.0
High	VULNDB-241123	jetty	jetty-9.4.32.v20200930	10.0.0.beta3 11.0.0.beta3 9.4.33.v20201019 9.4.33.v20201020
Medium	VULNDB-243634	jetty	jetty-9.4.32.v20200930	10.0.0.beta3 11.0.0.beta3 9.4.33.v20201020
High	VULNDB-247944	hadoop	hadoop-2.6.0	2.10.1 3.1.4 3.2.2 3.3.0
High	VULNDB-247944	hadoop	hadoop-3.1.1	2.10.1 3.1.4 3.2.2 3.3.0
Medium	VULNDB-250208	batik	batik-1.13	1.14
High	VULNDB-250385	batik	batik-1.13	1.14
Medium	VULNDB-250590	jetty	jetty-9.4.32.v20200930	10.0.1 11.0.1 9.4.37.v20210219 9.4.38.v20210224
Medium	VULNDB-252116	pdfbox	pdfbox-2.0.22	2.0.23
Medium	VULNDB-252117	pdfbox	pdfbox-2.0.22	2.0.23
High	VULNDB-256815	commons-compress	commons-compress-1.20	None
High	VULNDB-257084	commons-compress	commons-compress-1.20	None
High	VULNDB-259179	pdfbox	pdfbox-2.0.22	2.0.24
High	VULNDB-259180	pdfbox	pdfbox-2.0.22	2.0.24
Medium	VULNDB-90804	commons_cli	commons_cli-1.2	None
Medium	VULNDB-93555	httpclient	httpclient-4.5.10	None

This is my docker file

FROM amazoncorretto:latest
ENV VERSION 0.40.0
WORKDIR /app
ENV MB_DB_TYPE postgres
ADD http://downloads.metabase.com/v$VERSION/metabase.jar /app/target/uberjar/
COPY start.sh /app/bin/
CMD ["bash","/app/bin/start.sh"]

Thanks,
Karthik

flamber · July 12, 2021, 4:10pm

Hi @KarthiAru
Are any of those relevant to how Metabase use the dependencies?
Updating dependencies is not always a single line change, but that would be how you might solve it.