Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities with H2O v3.40 #16357

Open
PranavM2412 opened this issue Aug 7, 2024 · 4 comments
Open

Vulnerabilities with H2O v3.40 #16357

PranavM2412 opened this issue Aug 7, 2024 · 4 comments
Assignees
@valenad1
Milestone
3.46.0.6

Comments

@PranavM2412
Copy link

H2O version, Operating System and Environment
H2O-3.40

Actual behavior
Our security team has identified following four CVEs with current version of H2O SparklingWater (3.40.x) notebooks.

CVE-2023-6016
CVE-2023-35116
CVE-2023-6038
CVE-2023-6569

Expected behavior
the customer is concerned about the above CVEs and is not willing to upgrade/change to new version.
@PranavM2412 PranavM2412 added the bug label Aug 7, 2024
@valenad1 valenad1 self-assigned this Aug 7, 2024
@valenad1 valenad1 added this to the 3.46.0.5 milestone Aug 7, 2024
@valenad1
Copy link
Collaborator

valenad1 commented Aug 7, 2024

CVE-2023-6016 - Fixed. We are in communication with the reporter. #16341
CVE-2023-35116 - Fixed
CVE-2023-6038 - Fixed. We are in communication with the reporter. #16341
CVE-2023-6569 - Fixed. We are in communication with the reporter. #16341

The customer is concerned about the above CVEs and is not willing to upgrade/change to new version.

It does not make sense. We are fixing the vulnerabilities with each release. Newer release -> less known vulnerabilities.

@valenad1 valenad1 closed this as completed Aug 7, 2024
@PranavM2412
Copy link
Author

@valenad1 The customer mentioned that when they are asked to upgrade the version, Upgrading to a new version requires onboarding all the users to the newer version of the notebook using the configuration of older version v3.40.. Will this happen if they upgrade to newer version?
cc: @mohamedasni

@valenad1
Copy link
Collaborator

valenad1 commented Aug 8, 2024

You mean the clients? That is true, you have to have clients on the same version as h2o backend. Otherwise you have to specify strict_version_check to False.

@mohamedasni mohamedasni mentioned this issue Aug 19, 2024
Closed
@valenad1 valenad1 modified the milestones: 3.46.0.5, 3.46.0.6 Aug 22, 2024
@valenad1
Copy link
Collaborator

Reopening, we will fix 3.40.0.1 and provide custom build to the customer

@valenad1 valenad1 reopened this Sep 20, 2024
@valenad1 valenad1 removed the bug label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@valenad1 valenad1

Labels
None yet
Projects
None yet
Milestone
3.46.0.6
Development

No branches or pull requests
2 participants
@valenad1 @PranavM2412