[
https://issues.apache.org/jira/browse/BEAM-6267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16729074#comment-16729074
]
Kenneth Knowles commented on BEAM-6267:
---------------------------------------
I don't think Beam is vulnerable to this, but we should update vendored Guava
anyhow. A more interesting question might be what is going to happen with
modules that depend on public Guava. I know of Spark and Cassandra but
transitively there are probably others.
> Guava library DOS vulnerability in Beam Java SDK
> ------------------------------------------------
>
> Key: BEAM-6267
> URL: https://issues.apache.org/jira/browse/BEAM-6267
> Project: Beam
> Issue Type: Bug
> Components: sdk-java-core
> Affects Versions: 2.4.0, 2.9.0
> Environment: Java
> Reporter: Abdul Qadeer
> Assignee: Kenneth Knowles
> Priority: Major
>
> Guava 11.0 through 24.x are affected by the following vulnerability:
> [https://groups.google.com/forum/#!topic/guava-announce/xqWALw4W1vs/discussion]
> https://nvd.nist.gov/vuln/detail/2018-10237
> All Beam versions that use these Guava versions need to be updated with
> latest fixed Guava library.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
