Skip to content

[fix][sec] Upgrade Debezium oracle connector version to avoid CVE-2023-4586 #22641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 1 commit into from
May 3, 2024
Merged

[fix][sec] Upgrade Debezium oracle connector version to avoid CVE-2023-4586 #22641

lhotari merged 1 commit into from
May 3, 2024

Conversation

@nikhilerigila09
Copy link
Contributor

@nikhilerigila09 nikhilerigila09 commented May 3, 2024
edited
Loading

Fixes #22626

Motivation

Avoid CVE-2023-4586

Modifications

Upgrade debezium-oracle-connector version to 2.2.0.Final
which avoids org.infinispan:infinispan-client-hotrod@14.0.4.Final which has the vulnerability and uses org.infinispan:infinispan-client-hotrod-jakarta@14.0.4.Final instead, which has no vulnerabilities.

Verifying this change

  • Make sure that the change passes the CI checks.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label May 3, 2024
nicoloboschi
nicoloboschi approved these changes May 3, 2024
View reviewed changes
Copy link
Contributor

@nicoloboschi nicoloboschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lhotari lhotari merged commit 4a59536 into apache:master May 3, 2024
@lhotari
Copy link
Member

lhotari commented May 3, 2024

Just wondering that we are upgrading this connector to a newer Debezium version than the others. It seems like a hack. I wonder why we are sticking to an old Debezium version for others.

@nikhil-ctds
Copy link

nikhil-ctds commented May 6, 2024

@lhotari We could update the debezium version for others as well. Since only debezuim-oracle-connector had vulnerabilites (indirectly due to infinispan-client-hotrod) , i updated for oracle. I haven't checked for the other debezium connectors if there are any transitive dependencies which have vulnerabilities.

lhotari added a commit to lhotari/pulsar that referenced this pull request May 7, 2024
@lhotari
Revert "[fix][sec] Upgrade Debezium oracle connector version to avoid C…
0853ef1 
…VE-2023-4586 (apache#22641)"

This reverts commit 4a59536.
@lhotari lhotari mentioned this pull request May 7, 2024
Merged
4 tasks
@lhotari
Copy link
Member

lhotari commented May 7, 2024

@nikhil-ctds Did you ensure that tests pass? I don't see the tests passing and this PR will need to be reverted. @nicoloboschi @shoothzj Please review the revert PR #22668

Technoboy- pushed a commit that referenced this pull request May 8, 2024
@nikhilerigila09 @Technoboy-
[fix][sec] Upgrade Debezium oracle connector version to avoid CVE-202…
412a02a 
…3-4586 (#22641)
@Technoboy- Technoboy- added this to the 3.3.0 milestone May 8, 2024
@nikhilerigila09
Copy link
Contributor Author

nikhilerigila09 commented May 9, 2024

@lhotari
The CI check failed in CI Flaky - System - Pulsar IO - Oracle. I haven't tested it, but i see an issue open for flaky test - #13953

@lhotari
Copy link
Member

lhotari commented May 9, 2024
edited
Loading

@lhotari The CI check failed in CI Flaky - System - Pulsar IO - Oracle. I haven't tested it, but i see an issue open for flaky test - #13953

@nikhilerigila09 In this case, it's the test that validates changes in this area. It was failing consistently. This PR has been reverted in #22668, so there's a new chance to attempt to address CVE-2023-4586 in a way that doesn't break existing functionality.

@lhotari
Copy link
Member

lhotari commented May 9, 2024

@nikhilerigila09 #22668 describes the way how to find the error logs of an integration test.

@lhotari
Copy link
Member

lhotari commented May 14, 2024

Note: This PR shouldn't be cherry-picked since it breaks the connector. Reverted in #22668.

hanmz pushed a commit to hanmz/pulsar that referenced this pull request Feb 12, 2025
@nikhilerigila09 @hanmz
[fix][sec] Upgrade Debezium oracle connector version to avoid CVE-202…
4a6b04b 
…3-4586 (apache#22641)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hezhangjian hezhangjian hezhangjian approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

Assignees

@nikhilerigila09 nikhilerigila09

Labels

doc-not-needed Your PR changes do not impact docs

Projects

None yet

Milestone

3.3.0

Development

Successfully merging this pull request may close these issues.

[Bug] Infinispan Client Hotrod has a vulnerability CVE-2023-4586

6 participants

@nikhilerigila09 @lhotari @nikhil-ctds @hezhangjian @nicoloboschi @Technoboy-