[
https://issues.apache.org/jira/browse/HADOOP-18108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485543#comment-17485543
]
Wei-Chiu Chuang commented on HADOOP-18108:
------------------------------------------
Hi the vulnerability alert in mvnrepository.com is a new thing. We have GitHub
dependency vulnerability alert enabled
For what is worth,
CVE-2021-36374: we don't use Apache Ant.
CVE-2021-36090: Hadoop 3.3.2 will update to Commons-Compress 1.21. Its RC is
being voted.
The log4j will be replaced by reload4j. Probably in Hadoop 3.3.3.
In many cases old dependencies are not updated because updating them breaks
compatibility and requires extensive code change. Also often time the attack
vectors don't apply to how Hadoop uses these depdencies.
If you do care about security vulnerability, feel free to open a jira and
attach a patch.
> is there any plan to fix the vulnerabilities in hadoop-common
> -------------------------------------------------------------
>
> Key: HADOOP-18108
> URL: https://issues.apache.org/jira/browse/HADOOP-18108
> Project: Hadoop Common
> Issue Type: Wish
> Components: common
> Affects Versions: 3.3.1
> Reporter: Miguel Costa
> Priority: Major
>
> Hi all, I use a library that is using hadoop-commons as dependency in quite
> an old version.
> anyway I was trying to upgrate it to the latest version and found that still
> there, there are some problems in hadoop commons.
> I can see them even in maven
> [https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/3.3.1]
>
> [CVE-2022-23305|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305]
> [CVE-2022-23302|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302]
> [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104]
> [CVE-2021-36374|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36374]
> [CVE-2021-36090|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
> [CVE-2021-35516|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
> [CVE-2021-34429|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34429]
> [CVE-2021-22569|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569]
> [CVE-2020-15522|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522]
>
> Anyway I'm definitely not an expert on this but is there plans to fix this
> vulnerabilities?
> Or is this library not to be used anymore and we need to migrate to something
> else?
> Thanks for any feedback
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
