Security advisories #
Security advisories are necessary to inform you of the impact of publicly disclosed vulnerabilities, exposures, and other reported security threats. These reports are often available as Common Vulnerability and Exposure (CVE), as entries in the National Vulnerability Database, or from other sources.
The following sections provide information for various of the reports based on their unique identifiers. Reports not listed typically do not apply. Contact us for further information about any reports.
The CVE-2022-22947 report is related to Spring Cloud artifacts and the Gateway Actuator endpoint. They are not in use in Starburst Enterprise, Starburst Galaxy, Apache Ranger or the Hive Metastore Service. It therefore does not apply to any Starburst product.
The Spring4Shell zero day vulnerabilities were identified on the 29 March 2022. They are comprised of the following CVE entries, and the detailed analysis information applies:
- CVE-2022-22950 (Spring Framework)
- Trino, Starburst Enterprise, and Starburst Galaxy do not use the Spring
Framework, and therefore this CVE does not apply.
Hive Metastore Service does not use the Spring Framework, and therefore this CVE does not apply.
No exploit for Apache Ranger is available. No release with the upgrade of the Spring Framework is currently available.
- CVE-2022-22963 (Spring Cloud Functions)
- Trino, Starburst Enterprise, and Starburst Galaxy do not use Spring Cloud
Functions, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use Spring Cloud Functions, and therefore this CVE does not apply.
- CVE-2022-22965 (Spring MVC, WAR, Tomcat)
- Trino, Starburst Enterprise and Starburst Galaxy use Eclipse Jetty, and not
Apache Tomcat, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use a WAR deployment on Apache Tomcat, and therefore this CVE does not apply.
report is related to the H2 database system. Trino and
Starburst Enterprise embed H2 binaries only in the legacy Raptor connector
plugin. The binaries are only loaded when the plugin is used. This is
implemented in a catalog file with
connector.name=raptor and is typically not
the case. The CVE is therefore not applicable. Concerned users can
optionally remove the directory
plugin/raptor-legacy in their installation.
is related to the
databind component of the jackson project from
FasterXML. There is no known exploit in
Trino, Starburst Enterprise or Starburst Galaxy. The component is updated to the
latest, unaffected version 2.13.3, as of airbase
and therefore Trino 386, Starburst Enterprise 386-e, and the related Starburst
The dependencies Phoenix, Calcite and Alluxio include the affected binaries as shaded binaries. No exploits are known, and upgrade to unaffected versions in Trino are pending the release of new upstream versions of each library.
Is the information on this page helpful?