Situation

So far we have an introduction to TLS and an article that focuses on TLS in UDFs in particular. What is missing is a part about TLS with Exasol in general.

Acceptance Criteria

• TLS tutorial contain an article about general TLS with Exasol (especially the loader).

Currently the tutorial section about using own certificates does not mention the requirement and setup of the hostname/ip-address for the server certificate (see also).

• org.eclipse.parsson:parsson:jar:1.1.1 in test
  • CVE-2023-4043, severity CWE-20: Improper Input Validation (7.5)

Vulnerability is typically introduced via transitive test dependency exasol-test-containers:

\- com.exasol:exasol-testcontainers:jar:6.6.2:test
   \- com.exasol:bucketfs-java:jar:3.1.0:test
      \- org.eclipse.parsson:parsson:jar:1.1.1:test

TLS in User Defined Functions (UDFs)

• "We are going to use curl to upload the truststore file to the default bucket." it seems that docs expects anchor in lower case: https://docs.exasol.com/db/latest/database_concepts/bucketfs/file_access.htm#curl
• "trusstore" -> "truststore"?

TLS With Exasol

• "For a truly secure connection, you need to put in place a custom server certificate immediately after installing EXAOperation.": Logically, we are talking rather about installing cluster / DB.
• "The certificate is signed by an Exasol Certification Agency (CA) and your machine does not have that CA’s certificate pre-installed": Really? For my Exasol Community Edition default certificate chain consists of only 0 level.

Using Your Own Certificates

• "Open SSL": an unneeded space.
• "certificate extensions.To": a space is missing.
• "This header can be used for find a set of options in the configuration file" -> finding?
• "information. : The key": an unneeded colon.
• "You could drop that option if you wanted, because this is the default for certificates." -> want?
• "No we are all set to install the certificates." -> Now?
• "win any price" -> prize?
• "/etc/mysql/mysql.conf.d/mysqld.cnf ": unneeded space is highlighted.
• "OpenSSL's sclient" -> s_client?
• "MySQl" -> MySQL?
• "Copy the driver to the default Bucket" should, probably, refer to MySQL JDBC driver, not to tls-tutorial.jar. Applies to the remainder of "Installing the MySQL JDBC driver in Exasol" section as well.
• Formatting right after "You are now set up and ready to run the import." is broken.

Situation

Automatic testing is essential for professional software development. Without automated tests software will accumulate regressions or simply be faulty from the start.

This tutorial addresses important considerations for a successful test automation and strategy, gives concrete examples and shows how to conveniently incorporate TDD into your workflows.

Acceptance Criteria

• Testing tutorial text exists
• Java example project exists

Situation

We have a general description in tls_in_udfs.md at the moment on how to secure a truststore in a private bucket. Aleks pointed out that the commands mentioned sound so similar that users might confuse them. Better be safe and add a concrete example.

Acceptance Criteria

• Commands for securing bucket are available.

See https://github.com/exasol/exasol-java-tutorial#tls-tutorial

Fix issues reported by broken links checker
Probably an update to latest version of project keeper will help

Installing the Software
sudo apt install docker.io

and again
Setting up Docker
Install Docker
sudo apt install docker.io

Instead of systemctl restart mysql you have to start with

• (1) sudo service mysql start
• (2) sudo service docker start

But before it worked I had to execute this:
for (1)

sudo su
nohup kill 1063; sleep 2; usermod -d /var/lib/mysql/ mysql &

for(2)
https://docs.docker.com/engine/install/ubuntu/

(1)
vm with dynamic allocaded RAM
sudo apt upgrade => seems that this upgraded too much => no space left on device

(2)
second try, new plain Ubuntu VM
did not use sudo apt upgrade

sudo apt install docker.io
Reading package lists... Done Building dependency tree... Done Reading state information... Done Package [docker.io](http://docker.io/) is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package '[docker.io](http://docker.io/)' has no installation candidate
=>sudo snap install docker installed docker
tested it with docker -v

Acceptance Criteria

1. Introduced the simplest possible "hello world".
2. Introduced a scalar set script deployed as JAR.

Situation

Currently the CI build scripts created by Project Keeper are for a single module Maven build. Since there are multiple tutorials in this project, we use a multi-module Maven build. As a result the standard CI builds don't look for the build artifacts (JARs) in the right directory. They look in 'target/', but there are multiple directories in the form of <sub-module>/target/ that actually need to be scanned.

Additionally, we need to take the release artifacts from those directories.

Acceptance Criteria

• CI handles multi-module build correctly

Situation

Installing TLS certificates correctly is the precondition for getting an IMPORT running using the EXALoader when the service you are importing from uses a server certificate signed by the organizations own CA. This is a very typical scenario on-premise.

Acceptance Criteria

• Step-by-step tutorial exists that demonstrates an IMPORT in a scenario with organization issued TLS certificates.

• org.apache.commons:commons-compress:jar:1.22 in test
  • CVE-2023-42503, severity CWE-20: Improper Input Validation (5.5)

Situation

With the standard commonmark package we cannot use a module-info.java (see commonmark/commonmark-java#125 for details why). There is a fork (https://github.com/aya-prover/commonmark-java) that provides an alternative version that supports the module system.

Acceptance Criteria

• Successfully build and test Markdown sub-project with module info.

The following sentence:

is a bit overloaded from my point of view. Even though technically I understand that the signature is smaller, I'm not sue if that information is relevant for most readers. I even think it can distract from the more relevant properties (more relevant in the context of the target/reader audience) like that it is tamper-proof.

TL;DR:

• Why is it relevant to the reader that the signature is smaller and how it looks like?
  (Isn't the relevant information just that it is tamper-proof and maybe that it is based on the content?)

Summary

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

CVE: CVE-2024-25710
CWE: CWE-835

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-25710?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25710
• https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf

Situation

We just had a situation where a user forgot to refresh outdated certificates and was wondering what is going on.
Adding the expiry date to the list output of the certificate script would be helpful in such a situation.

Acceptance Criteria

1. Expiry date in the result set of the CERTIFICATES() UDF

Situation

We already have an article on the Exasol blog that gives an introduction to TLS. But it would be good to have everything in one place. From the introduction to the UDF that checks the CA certificate installation.

Acceptance Criteria

• Blog article ported to Markdown
• Article available in this repository

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

CVE: CVE-2024-26308
CWE: CWE-770

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-26308?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26308
• https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg
• https://www.openwall.com/lists/oss-security/2024/02/19/2

I copied my ca.crt to Exasol-DB

pesm@pesm-VirtualBox:~/tutorials/tls_with_exasol/import$ docker cp "ca.crt" exasoldb:/root