This is an automated email from the ASF dual-hosted git repository.
yashmayya pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new 2da7284e01d Exclude embedded Jetty from Hadoop deps in
pinot-orc/pinot-parquet (CVE-2026-2332) (#18659)
2da7284e01d is described below
commit 2da7284e01d859ed2a52da74c15680162a579455
Author: Jhow <[email protected]>
AuthorDate: Wed Jun 3 15:42:51 2026 -0700
Exclude embedded Jetty from Hadoop deps in pinot-orc/pinot-parquet
(CVE-2026-2332) (#18659)
---------
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
pom.xml | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
diff --git a/pom.xml b/pom.xml
index 8b2ea266caa..7f166bc31a8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1188,6 +1188,21 @@
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
</exclusion>
+ <!-- Hadoop pulls org.eclipse.jetty (and
org.eclipse.jetty.websocket) for its embedded
+ HttpServer2 web UIs, which downstream Pinot modules never
start. These leak into
+ runtime distributions and carry CVE-2026-2332 (jetty-http
request smuggling). Exclude
+ centrally here so every module depending on Hadoop is covered
by default. Note: this
+ does NOT strip the relocated Jetty bundled inside the
hadoop-client-runtime uber-jar
+ (org.apache.hadoop.shaded.org.eclipse.jetty); that is handled
by the maven-shade-plugin
+ filter further down in this pom. -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty.websocket</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1208,6 +1223,15 @@
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
</exclusion>
+ <!-- See hadoop-common above: drop embedded-Jetty web UI transitives
(CVE-2026-2332). -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty.websocket</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1220,6 +1244,17 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-reload4j</artifactId>
</exclusion>
+ <!-- See hadoop-common above: drop embedded-Jetty web UI transitives
(CVE-2026-2332).
+ For hadoop-client the compile-scoped leak path is
+ hadoop-yarn-client -> websocket-client -> jetty-client ->
jetty-http. -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty.websocket</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1260,6 +1295,15 @@
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
</exclusion>
+ <!-- See hadoop-common above: drop embedded-Jetty web UI transitives
(CVE-2026-2332). -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty.websocket</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1267,6 +1311,17 @@
<artifactId>hadoop-hdfs-client</artifactId>
<version>${hadoop.version}</version>
<scope>provided</scope>
+ <exclusions>
+ <!-- See hadoop-common above: drop embedded-Jetty web UI transitives
(CVE-2026-2332). -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty.websocket</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
@@ -2804,6 +2859,23 @@
<exclude>src/main/java/org/apache/pinot/core/transport/NettyInstance.java</exclude>
</excludes>
</filter>
+ <filter>
+ <!-- hadoop-client-runtime is a Hadoop uber-jar that bundles its
own relocated Jetty
+ (org.apache.hadoop.shaded.org.eclipse.jetty). It exists
only for Hadoop's embedded
+ HttpServer2 web UIs, which Pinot input-format / filesystem
plugins never start, so
+ the classes are unreachable, but the leftover jetty-* Maven
metadata still makes
+ scanners flag CVE-2026-2332 (jetty-http request smuggling).
A Maven exclusion
+ cannot remove these because the classes are baked into the
uber-jar rather than
+ resolved as a dependency node, so strip them from any
shaded jar here. -->
+ <artifact>org.apache.hadoop:hadoop-client-runtime</artifact>
+ <excludes>
+
<exclude>org/apache/hadoop/shaded/org/eclipse/jetty/**</exclude>
+ <exclude>META-INF/maven/org.eclipse.jetty/**</exclude>
+
<exclude>META-INF/maven/org.eclipse.jetty.websocket/**</exclude>
+ <!-- ServiceLoader entries whose implementation classes are
removed above. -->
+
<exclude>META-INF/services/org.apache.hadoop.shaded.org.eclipse.jetty.**</exclude>
+ </excludes>
+ </filter>
</filters>
<relocations>
<relocation>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
