Security advisories #

Security advisories are necessary to inform you of the impact of publicly disclosed vulnerabilities, exposures, and other reported security threats. These reports are often available as Common Vulnerability and Exposure (CVE), as entries in the National Vulnerability Database, or from other sources.

The following sections provide information for various of the reports based on their unique identifiers. Reports not listed typically do not apply. Contact us for further information about any reports.

Reports are sorted by date, starting with the latest advisories, and aim to cover details for all Starburst products, including Starburst Enterprise platform (SEP) and Starburst Galaxy and included components.

CVE-2023-38545 and CVE-2023-38546 libcurl #

The CVE-2023-38545 and CVE-2023-38546 reports describe buffer overflow and cookie injection exploits with the libcurl and curl tools. The Starburst engineering team has reviewed these CVEs and confirmed that they do not impact our Starburst Enterprise or Starburst Galaxy products. Out of caution, the Starburst engineering team has updated the library for future releases. Customers do not need to take any action.

Column-level access control bypass #

Starburst has identified a vulnerability impacting SEP version 413-e, allowing column-level access control to be bypassed by use of the use of table functions.

The only vulnerable release of SEP is the short-term support (STS) release of 413-e. The long-term support (LTS) release of 413-e.1 has remediated the issue, customers are strongly advised to upgrade to this version or later.

Please do not hesitate to contact Starburst Support or your Account Executive with any questions or concerns.

HTTP client risk #

Starburst has identified a low-risk vulnerability in which HTTP clients, such as OAuth2, are exposing internal bearer tokens.

The Starburst engineering team conducted an extensive investigation to determine the probability and impact of this exploit. We have patched all LTS releases of SEP, 413-e.1, 407-e.5, 402-e.9, 393-e.14, and 380-e.18, to mitigate this vulnerability.

Starburst urges customers to upgrade your SEP version to the latest version. Change your internal-communication.shared-secret configuration property to a new shared secret (to invalidate potentially leaked tokens).

Please do not hesitate to contact Starburst Support or your Account Executive with any questions or concerns.

CVE-2022-40152 Woodstox #

The CVE-2020-40152 report is related to a potential exploit of the DTD support in the Woodstox XML parser library to facilitate Denial of Service attacks. All affected versions of SEP are being updated to use an updated version of the Woodstox library that removes this vulnerability.

CVE-2022-1471 SnakeYAML #

The CVE-2020-1471 report is related to the Constructor() class of the SnakeYAML library. There is no known exploit in Trino, Starburst Enterprise, or Starburst Galaxy, as these do not use the processor on the executable path. Warp Speed, the Elasticsearch connector, and the Pinot connector are being updated to explicitly exclude SnakeYAML from their dependency trees as a preventative measure.

CVE-2022-3786 and CVE-2022-3602 OpenSSL #

The impact of the OpenSSL high vulnerabilities from CVE-2022-3786 and CVE-2022-3602 on Starburst was analyzed by the engineering and information security teams.

SEP, including the distributed container images, is not vulnerable to any exploits.

The container for the Apache Ranger server with the Starburst Ranger plugin shipped with the Helm chart was updated to include an unaffected version of OpenSSL. The container is used with SEP 401-e, released on the 3 November 2022, and any newer releases, including the 402-e LTS release and backport releases for older LTS versions.

Starburst Galaxy, including the used container images, is not vulnerable to any exploits.

CVE-2022-22947 #

The CVE-2022-22947 report is related to Spring Cloud artifacts and the Gateway Actuator endpoint. They are not in use in Starburst Enterprise, Starburst Galaxy, Apache Ranger or the Hive Metastore Service. It therefore does not apply to any Starburst product.

Spring4Shell #

The Spring4Shell zero day vulnerabilities were identified on the 29 March 2022. They are comprised of the following CVE entries, and the detailed analysis information applies:

CVE-2022-22950 (Spring Framework)
Trino, Starburst Enterprise, and Starburst Galaxy do not use the Spring Framework, and therefore this CVE does not apply.
Hive Metastore Service does not use the Spring Framework, and therefore this CVE does not apply.
No exploit for Apache Ranger is available. No release with the upgrade of the Spring Framework is currently available.
CVE-2022-22963 (Spring Cloud Functions)
Trino, Starburst Enterprise, and Starburst Galaxy do not use Spring Cloud Functions, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use Spring Cloud Functions, and therefore this CVE does not apply.
CVE-2022-22965 (Spring MVC, WAR, Tomcat)
Trino, Starburst Enterprise and Starburst Galaxy use Eclipse Jetty, and not Apache Tomcat, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use a WAR deployment on Apache Tomcat, and therefore this CVE does not apply.

CVE-2021-42392 #

The CVE-2021-42392 report is related to the H2 database system. Trino and Starburst Enterprise embed H2 binaries only in the legacy Raptor connector plugin. The binaries are only loaded when the plugin is used. This is implemented in a catalog file with connector.name=raptor and is typically not the case. The CVE is therefore not applicable. Concerned users can optionally remove the directory plugin/raptor-legacy in their installation.

CVE-2021-44228 #

Information about CVE-2021-44228 is available in our Security advisory for Log4Shell.

CVE-2021-45046 #

Information about CVE-2021-45046 is available in our Security advisory for Log4Shell.

CVE-2021-45105 #

Information about CVE-2021-45105 is available in our Security advisory for Log4Shell.

CVE-2020-36518 #

The CVE-2020-36518 is related to the databind component of the jackson project from FasterXML. There is no known exploit in Trino, Starburst Enterprise or Starburst Galaxy. The component is updated to the latest, unaffected version 2.13.3, as of airbase 128, and therefore Trino 386, Starburst Enterprise 386-e, and the related Starburst Galaxy update.

The dependencies Phoenix, Calcite and Alluxio include the affected binaries as shaded binaries. No exploits are known, and upgrade to unaffected versions in Trino are pending the release of new upstream versions of each library.