Security advisories #
Security advisories are necessary to inform you of the impact of publicly disclosed vulnerabilities, exposures, and other reported security threats. These reports are often available as Common Vulnerability and Exposure (CVE), as entries in the National Vulnerability Database, or from other sources.
The following sections provide information for various of the reports based on their unique identifiers. Reports not listed typically do not apply. Contact us for further information about any reports.
Reports are sorted by date, starting with the latest advisories, and aim to cover details for all Starburst products, including Starburst Enterprise platform (SEP) and Starburst Galaxy and included components.
CVE-2022-3786 and CVE-2022-3602 OpenSSL #
SEP, including the distributed container images, is not vulnerable to any exploits.
The container for the Apache Ranger server with the Starburst Ranger plugin shipped with the Helm chart was updated to include an unaffected version of OpenSSL. The container is used with SEP 401-e, released on the 3 November 2022, and any newer releases, including the 402-e LTS release and backport releases for older LTS versions.
Starburst Galaxy, including the used container images, is not vulnerable to any exploits.
The CVE-2022-22947 report is related to Spring Cloud artifacts and the Gateway Actuator endpoint. They are not in use in Starburst Enterprise, Starburst Galaxy, Apache Ranger or the Hive Metastore Service. It therefore does not apply to any Starburst product.
The Spring4Shell zero day vulnerabilities were identified on the 29 March 2022. They are comprised of the following CVE entries, and the detailed analysis information applies:
- CVE-2022-22950 (Spring Framework)
- Trino, Starburst Enterprise, and Starburst Galaxy do not use the Spring
Framework, and therefore this CVE does not apply.
Hive Metastore Service does not use the Spring Framework, and therefore this CVE does not apply.
No exploit for Apache Ranger is available. No release with the upgrade of the Spring Framework is currently available.
- CVE-2022-22963 (Spring Cloud Functions)
- Trino, Starburst Enterprise, and Starburst Galaxy do not use Spring Cloud
Functions, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use Spring Cloud Functions, and therefore this CVE does not apply.
- CVE-2022-22965 (Spring MVC, WAR, Tomcat)
- Trino, Starburst Enterprise and Starburst Galaxy use Eclipse Jetty, and not
Apache Tomcat, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use a WAR deployment on Apache Tomcat, and therefore this CVE does not apply.
report is related to the H2 database system. Trino and
Starburst Enterprise embed H2 binaries only in the legacy Raptor connector
plugin. The binaries are only loaded when the plugin is used. This is
implemented in a catalog file with
connector.name=raptor and is typically not
the case. The CVE is therefore not applicable. Concerned users can
optionally remove the directory
plugin/raptor-legacy in their installation.
is related to the
databind component of the jackson project from
FasterXML. There is no known exploit in
Trino, Starburst Enterprise or Starburst Galaxy. The component is updated to the
latest, unaffected version 2.13.3, as of airbase
and therefore Trino 386, Starburst Enterprise 386-e, and the related Starburst
The dependencies Phoenix, Calcite and Alluxio include the affected binaries as shaded binaries. No exploits are known, and upgrade to unaffected versions in Trino are pending the release of new upstream versions of each library.
Is the information on this page helpful?