[
https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577223#comment-17577223
]
Tamas Domok commented on HADOOP-18197:
--------------------------------------
Hi [[email protected]],
Based on [this|https://github.com/advisories/GHSA-wrvw-hg22-4m67] the affected
versions of CVE-2021-22569 are:
{quote}
com.google.protobuf:protobuf-java
Affected versions
< 3.16.1
>= 3.18.0, < 3.18.2
>= 3.19.0, < 3.19.2
Patched versions
3.16.1
3.18.2
3.19.2
{quote}
Which conforms the link in the description. So the protobuf-java-2.5.0.jar is
not affected by CVE-2021-22569, but it is vulnerable to CVE-2015-5237,
CVE-2019-15544.
I see that we ship the following protobuf related jars in the 3.3.4 release:
{code}
./hadoop-3.3.4/share/hadoop/yarn/csi/lib/protobuf-java-3.6.1.jar
./hadoop-3.3.4/share/hadoop/yarn/csi/lib/grpc-protobuf-lite-1.26.0.jar
./hadoop-3.3.4/share/hadoop/yarn/csi/lib/grpc-protobuf-1.26.0.jar
./hadoop-3.3.4/share/hadoop/common/lib/protobuf-java-2.5.0.jar
./hadoop-3.3.4/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar
./hadoop-3.3.4/share/hadoop/hdfs/lib/protobuf-java-2.5.0.jar
./hadoop-3.3.4/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar
{code}
The csi was changed in: YARN-10747. Bump YARN CSI protobuf version to 3.7.1
(#2946)
Just out of curiosity: what's the plan for protobuf 2.5.0 in older releases,
e.g.: branch-2.10.2 or branch-3.2.3/4. Do we plan to update it to 2.6.1 or
would that break things because it was not shaded? And what about newer
branches and trunk should we just not ship the 2.5.0 jar?
Thanks.
> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
> Key: HADOOP-18197
> URL: https://issues.apache.org/jira/browse/HADOOP-18197
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Ivan Viaznikov
> Priority: Major
> Labels: pull-request-available, security
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version
> released in 2013 and it contains a vulnerability
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be
> updated in the following releases
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
