[
https://issues.apache.org/jira/browse/CASSANDRA-14760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16619378#comment-16619378
]
Jason Brown commented on CASSANDRA-14760:
-----------------------------------------
The CVE seems to apply to only to:
- AtomicDoubleArray (when serialized with Java serialization)
- CompoundOrdering (when serialized with GWT serialization)
Cassandra uses neither of those classes, nor do we use Java nor GWT
serialization. Thus, it's not clear this CVE is a problem for us.
> CVE-2018-10237 Security vulnerability in 3.11.3
> -----------------------------------------------
>
> Key: CASSANDRA-14760
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14760
> Project: Cassandra
> Issue Type: Bug
> Reporter: John F. Gbruoski
> Priority: Major
>
> As described in the CVE, Guava 11.0 through 24.x before 24.1.1 have a
> security exposure. Cassandra 3.11.3 uses Guava 18.0. Can Cassandra 3.11 be
> patched to support Guava 24.1.1 or later?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
