Security advisories #

Security advisories are necessary to inform you of the impact of publicly disclosed vulnerabilities, exposures, and other reported security threats. These reports are often available as Common Vulnerability and Exposure (CVE), as entries in the National Vulnerability Database, or from other sources.

The following sections provide information for various of the reports based on their unique identifiers. Reports not listed typically do not apply. Contact us for further information about any reports.

Reports are sorted alphabetically and aim to cover details for all Starburst products, including Starburst Enterprise platform (SEP) and Starburst Galaxy and included components.

CVE-2022-22947 #

The CVE-2022-22947 report is related to Spring Cloud artifacts and the Gateway Actuator endpoint. They are not in use in Starburst Enterprise, Starburst Galaxy, Apache Ranger or the Hive Metastore Service. It therefore does not apply to any Starburst product.

Spring4Shell #

The Spring4Shell zero day vulnerabilities were identified on the 29 March 2022. They are comprised of the following CVE entries, and the detailed analysis information applies:

CVE-2022-22950 (Spring Framework)
Trino, Starburst Enterprise, and Starburst Galaxy do not use the Spring Framework, and therefore this CVE does not apply.
Hive Metastore Service does not use the Spring Framework, and therefore this CVE does not apply.
No exploit for Apache Ranger is available. No release with the upgrade of the Spring Framework is currently available.
CVE-2022-22963 (Spring Cloud Functions)
Trino, Starburst Enterprise, and Starburst Galaxy do not use Spring Cloud Functions, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use Spring Cloud Functions, and therefore this CVE does not apply.
CVE-2022-22965 (Spring MVC, WAR, Tomcat)
Trino, Starburst Enterprise and Starburst Galaxy use Eclipse Jetty, and not Apache Tomcat, and therefore this CVE does not apply.
Hive Metastore Service and Apache Ranger do not use a WAR deployment on Apache Tomcat, and therefore this CVE does not apply.

CVE-2021-42392 #

The CVE-2021-42392 report is related to the H2 database system. Trino and Starburst Enterprise embed H2 binaries only in the legacy Raptor connector plugin. The binaries are only loaded when the plugin is used. This is implemented in a catalog file with connector.name=raptor and is typically not the case. The CVE is therefore not applicable. Concerned users can optionally remove the directory plugin/raptor-legacy in their installation.

CVE-2021-44228 #

Information about CVE-2021-44228 is available in our Security advisory for Log4Shell.

CVE-2021-45046 #

Information about CVE-2021-45046 is available in our Security advisory for Log4Shell.

CVE-2021-45105 #

Information about CVE-2021-45105 is available in our Security advisory for Log4Shell.

CVE-2020-36518 #

The CVE-2020-36518 is related to the databind component of the jackson project from FasterXML. There is no known exploit in Trino, Starburst Enterprise or Starburst Galaxy. The component is updated to the latest, unaffected version 2.13.3, as of airbase 128, and therefore Trino 386, Starburst Enterprise 386-e, and the related Starburst Galaxy update.

The dependencies Phoenix, Calcite and Alluxio include the affected binaries as shaded binaries. No exploits are known, and upgrade to unaffected versions in Trino are pending the release of new upstream versions of each library.