[
https://issues.apache.org/jira/browse/HADOOP-13464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446852#comment-17446852
]
Jason Wen commented on HADOOP-13464:
------------------------------------
Our xray scan shows a HIGH vulnerability issue on current gson version:
||Summary|Gson (google-gson) Insecure Deserialization DoS|
||Severity|HIGH|
||Description|Gson (google-gson) contains a flaw that is triggered as input
supplied to internal classes is insecurely deserialized. This may allow a
context-dependent attacker to crash a process linked against the library.|
||Type|SECURITY|
||Provider|JFrog|
||Issues| |
||Edited|2021-11-03T18:01:10Z|
||Created|2021-11-02T00:00:00.761Z|
||Impact paths|
|/sha256__78f386333fd4fb46dd3b08f87eaa6da2d4510a89875b60b7964512516b221659.tar.gz/usr/lib/hadoop-hdfs/lib/gson-2.2.4.jar|
|
|| ||Affected component ID:
[gav://com.google.code.gson:gson:2.2.4|https://artifactory.workday.com/ui/packages/gav:%2F%2Fcom.google.code.gson:gson/2.2.4]||
||Vulnerable versions|2.0 ≤ Version < 2.8.9|
||Fixed versions|2.8.9|
We should upgrade gson to the latest release version 2.8.9
> update GSON to 2.7+
> -------------------
>
> Key: HADOOP-13464
> URL: https://issues.apache.org/jira/browse/HADOOP-13464
> Project: Hadoop Common
> Issue Type: Task
> Components: build
> Reporter: Sean Busbey
> Priority: Minor
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> our GSON version is from ~3 years ago. update to latest release.
> try to check release notes to see if this is incompatible.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
