[jira] [Created] (CASSANDRA-16528) Update Cassandra dependencies to fix security vulnerabilities

Fri, 19 Mar 2021 09:58:24 -0700 

LHX created CASSANDRA-16528:
-------------------------------

             Summary: Update Cassandra dependencies to fix security 
vulnerabilities
                 Key: CASSANDRA-16528
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16528
             Project: Cassandra
          Issue Type: Bug
          Components: Build
            Reporter: LHX


There are a couple of security vulnerabilities that show up in libraries that 
cassandra pulls in.
 # apache commons-collections v 3.2.1
 # apache commons-beanutils v 1.7.0

For number one, there is a well-known security vulnerability in apache 
commons-collection 3.2.1 (see [https://www.kb.cert.org/vuls/id/576313] and 
https://issues.apache.org/jira/browse/COLLECTIONS-580). This is fixed/mitigated 
in commons-collections 3.2.2.

All current versions of cassandra (including 4.0beta4) pull in 
commons-collections 3.2.1 via apache-rat 0.10. Is it possible to upgrade 
apache-rat to version 0.12 in order to pull in the latest version of 
commons-collections? See 
[https://github.com/apache/creadur-rat/commit/2380409fbcd02b418eceacfdc1e486bdbbca9632].

I made the below change in 3.0.24 src and recompiled without errors.
{code:java}
// code placeholder
diff --git a/cassandra/cassandra-3.0-src/build.xml 
b/cassandra/cassandra-3.0-src/build.xml
index 73c9889d81..ed236443d4 100644
--- a/cassandra/cassandra-3.0-src/build.xml
+++ b/cassandra/cassandra-3.0-src/build.xml
@@ -402,3 +402,3 @@
           <dependency groupId="org.reflections" artifactId="reflections" 
version="0.9.12" />
-          <dependency groupId="org.apache.rat" artifactId="apache-rat" 
version="0.10">
+          <dependency groupId="org.apache.rat" artifactId="apache-rat" 
version="0.12">
              <exclusion groupId="commons-lang" artifactId="commons-lang"/>
@@ -1605,3 +1605,3 @@
     <artifact:dependencies pathId="rat.classpath">
-      <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" 
version="0.6" />
+      <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" 
version="0.12" />
       <remoteRepository refid="central"/>
{code}
 

For number two, I was able to discern that beanutils is coming from hadoop-core 
which is version 1.0.3.  I believe this also is quite out of date and could be 
upgraded. 

Could someone take a look and see if these version upgrades are possible?

{{}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to