[jira] [Commented] (HDFS-15333) Vulnerability fixes need for jackson-databinding HDFS dependency library

Wed, 08 Jul 2020 04:44:53 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17153524#comment-17153524
 ] 

Masatake Iwasaki commented on HDFS-15333:
-----------------------------------------

You can use newer jackson with htrace-core4-4.1.0-incubating. Recent Hadoop 
bundles 2.10.x of jackson-core and jackson-databind.

If you are using htrace-core4-4.1.0-incubating for your product, you can 
exclude them from transitive dependencies in the pom. If your product itself 
needs jackson-core/jackson-databind, you can set the dependency version to 
newer one as Hadoop do.

> Vulnerability fixes need for jackson-databinding HDFS dependency library
> ------------------------------------------------------------------------
>
>                 Key: HDFS-15333
>                 URL: https://issues.apache.org/jira/browse/HDFS-15333
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.2.1
>         Environment: [^hdfs_imagescan_result.csv]
>            Reporter: Hridesh
>            Priority: Critical
>         Attachments: hdfs_imagescan_result.csv
>
>
> HDFS has couple of dependency which is having jackson library  with 
> vulnerability. 
> Below are list of library used by HDFS which is having vulnerability:
>  * htrace-core4-4.1.0-incubating.jar:jackson-databind
>  * htrace-core-3.1.0-incubating.jar:jackson-databind
>  * aws-java-sdk-bundle-1.11.375.jar:jackson-databind
>  * hadoop-client-runtime-3.2.1.jar:jackson-databind
>  * jackson-databind-2.9.8.jar
>  * hadoop-client-runtime-3.2.1.jar:jackson-databind
>  
> For example:  "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM 
> URL: 
> [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.]
>  
> Jackson version < 2.9.1 has below list of vulnerabilities:
> CVE-2019-14379
> CVE-2019-16335
> CVE-2019-17531
> CVE-2019-14540
> CVE-2018-11307
> CVE-2019-12402
> CVE-2018-7489
> CVE-2018-12022
> CVE-2019-14439
> CVE-2017-15095
> CVE-2017-7525
> CVE-2017-17485
>  
> Attaching image scan result file.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to