[jira] [Commented] (HDFS-15333) Vulnerability fixes need for jackson-databinding HDFS dependency library

Tue, 07 Jul 2020 20:29:49 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17153209#comment-17153209
 ] 

weiyanen commented on HDFS-15333:
---------------------------------

So NOW, how can I resolve this vulnerability problem? 

I've used htrace-core4-4.1.0-incubating and it used jackson 2.4.0 which has 
vulnerability issues.

I must use htrace-core4-4.1.0-incubating, otherwise, I would get an error for 
"org/apache/htrace/core/Tracer$Builder Context: java.lang.NoClassDefFoundError: 
org/apache/htrace/core/Tracer$Builder".

> Vulnerability fixes need for jackson-databinding HDFS dependency library
> ------------------------------------------------------------------------
>
>                 Key: HDFS-15333
>                 URL: https://issues.apache.org/jira/browse/HDFS-15333
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.2.1
>         Environment: [^hdfs_imagescan_result.csv]
>            Reporter: Hridesh
>            Priority: Critical
>         Attachments: hdfs_imagescan_result.csv
>
>
> HDFS has couple of dependency which is having jackson library  with 
> vulnerability. 
> Below are list of library used by HDFS which is having vulnerability:
>  * htrace-core4-4.1.0-incubating.jar:jackson-databind
>  * htrace-core-3.1.0-incubating.jar:jackson-databind
>  * aws-java-sdk-bundle-1.11.375.jar:jackson-databind
>  * hadoop-client-runtime-3.2.1.jar:jackson-databind
>  * jackson-databind-2.9.8.jar
>  * hadoop-client-runtime-3.2.1.jar:jackson-databind
>  
> For example:  "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM 
> URL: 
> [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.]
>  
> Jackson version < 2.9.1 has below list of vulnerabilities:
> CVE-2019-14379
> CVE-2019-16335
> CVE-2019-17531
> CVE-2019-14540
> CVE-2018-11307
> CVE-2019-12402
> CVE-2018-7489
> CVE-2018-12022
> CVE-2019-14439
> CVE-2017-15095
> CVE-2017-7525
> CVE-2017-17485
>  
> Attaching image scan result file.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to