superset icon indicating copy to clipboard operation
superset copied to clipboard
Published 4 weeks ago verified publisher icon apache

superset 4.0.1 uses werkzeug 3.0.1 with CVE => should update to 3.0.3 or newer

Open nigzak opened this issue 1 year ago • 1 comments

Bug description

the current 4.0.1 image has a high CVE finding with werkzeug CVE-2024-34069⁠

There should be made a update to 3.0.3 (or newer)

How to reproduce the bug

download 4.0.1 dockerhub image scan image

Screenshots/recordings

No response

Superset version

4.0.1

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

nigzak avatar May 21 '24 12:05 nigzak

To address the high-severity CVE-2024-34069 in the Apache Superset 4.0.1 Docker image, you can update the Werkzeug version to 3.0.3 or newer. Here are the steps to achieve this:

Steps to Update Werkzeug Version

  1. Modify requirements/base.txt: Update the requirements/base.txt file to specify the updated Werkzeug version.

    Werkzeug>=3.0.3

  2. Update the Dockerfile: Ensure the Dockerfile installs the updated requirements. Based on the provided Dockerfile.from_local_tarball, you should update the relevant section as follows:

    WORKDIR /home/superset/apache-superset-$VERSION
RUN pip install --upgrade setuptools pip \
    && pip install -r requirements/base.txt \
    && pip install --no-cache-dir .

Potential Conflicts

However, there are dependencies in the requirements/base.txt file that might conflict with Werkzeug version 3.0.3 or newer. Specifically, the flask package is listed as a dependency, and Flask 2.3.3 has a known compatibility issue with Werkzeug versions 3.0.3 or newer.

flask==2.3.3
    # via
    #   apache-superset
    #   flask-appbuilder
    #   flask-babel
    #   flask-caching
    #   flask-compress
    #   flask-jwt-extended
    #   flask-limiter
    #   flask-login
    #   flask-migrate
    #   flask-session
    #   flask-sqlalchemy
    #   flask-wtf

Flask 2.3.3 is compatible with Werkzeug up to version 2.x, but not with version 3.0.3 or newer. Additionally, the requirements/base.in file specifies werkzeug>=3.0.1, which could lead to conflicts with the Flask version specified.

Updating Documentation

To reflect this change, you should also update the relevant documentation:

  1. UPDATING.md: Include the change related to the Werkzeug dependency.

    - [9786](https://github.com/apache/superset/pull/9786): with the upgrade of `werkzeug` from version `0.16.0` to `1.0.1`, the `werkzeug.contrib.cache` module has been moved to a standalone package [cachelib](https://pypi.org/project/cachelib/). For example, to import the `RedisCache` class, please use the following import: `from cachelib.redis import RedisCache`.

  2. RELEASING/release-notes-1-1/README.md: Update to reflect this change.

    ## Breaking Changes and Full Changelog

- To see the complete changelog in this release, head to [CHANGELOG.MD](https://github.com/apache/superset/blob/master/CHANGELOG.md).
- You can find a list of backwards incompatible changes [here](https://github.com/apache/superset/blob/3d103e66fcaee42a6b4a42b2638e13d5e2208c3b/UPDATING.md).

  3. CHANGELOG/3.0.0.md: Ensure that the change in the Werkzeug dependency is noted here as well.

By following these steps, you can update the Werkzeug version to 3.0.3 or newer in the Apache Superset 4.0.1 Docker image to address the high-severity CVE-2024-34069. Be mindful of potential conflicts with other dependencies, particularly Flask, and update the relevant documentation to reflect these changes.

Details

Sources


About Dosu This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

dosubot[bot] avatar May 21 '24 12:05 dosubot[bot]

Hi @nigzak. Please follow the instructions on Reporting Security Vulnerabilities. There's also this warning in the issue template:

🚨 Reporting a security issue: send an email to [email protected]. DO NOT USE GITHUB ISSUES TO REPORT SECURITY PROBLEMS.

michael-s-molina avatar May 23 '24 20:05 michael-s-molina