[jira] [Updated] (HBASE-20582) Bump up the Jackson and Jruby version because of some reported vulnerabilities

Ankit Singhal (JIRA) Mon, 14 May 2018 16:02:46 -0700

     [ 
https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ankit Singhal updated HBASE-20582:
----------------------------------
    Description: 
There are some vulnerabilities reported with two of the libraries used in HBase.

{code}
Jackson(version:2.9.2):
CVE-2017-17485
CVE-2018-5968
CVE-2018-7489

Jruby(version:9.1.10.0):
CVE-2009-5147
CVE-2013-4363
CVE-2014-4975
CVE-2014-8080
CVE-2014-8090
CVE-2015-3900
CVE-2015-7551
CVE-2015-9096
CVE-2017-0899
CVE-2017-0900
CVE-2017-0901
CVE-2017-0902
CVE-2017-0903
CVE-2017-10784
CVE-2017-14064
CVE-2017-9224
CVE-2017-9225
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228
{code}

Tool somehow able to relate the vulnerability of Ruby with JRuby(Java 
implementation).

Not all of them directly affects HBase but [~elserj] suggested that it is 
better to be on the updated version to avoid issues during an audit in security 
sensitive organization.


 

  was:
There are some vulnerabilities reported with two of the libraries used in HBase.

{code}
Jackson(version:2.9.2):
CVE-2017-17485
CVE-2018-5968
CVE-2018-7489

Jruby(version:9.1.10.0):
CVE-2009-5147
CVE-2013-4363
CVE-2014-4975
CVE-2014-8080
CVE-2014-8090
CVE-2015-3900
CVE-2015-7551
CVE-2015-9096
CVE-2017-0899
CVE-2017-0900
CVE-2017-0901
CVE-2017-0902
CVE-2017-0903
CVE-2017-10784
CVE-2017-14064
CVE-2017-9224
CVE-2017-9225
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228
{code}

Tool somehow able to relate the vulnerability of Ruby with JRuby(Java 
implementation).

Not all of them directly affects HBase but it is better to be on the updated 
version to avoid issues during an audit in security sensitive organization.

 


> Bump up the Jackson and Jruby version because of some reported vulnerabilities
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-20582
>                 URL: https://issues.apache.org/jira/browse/HBASE-20582
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ankit Singhal
>            Assignee: Ankit Singhal
>            Priority: Major
>             Fix For: 2.1.0
>
>         Attachments: HBASE-20582.patch
>
>
> There are some vulnerabilities reported with two of the libraries used in 
> HBase.
> {code}
> Jackson(version:2.9.2):
> CVE-2017-17485
> CVE-2018-5968
> CVE-2018-7489
> Jruby(version:9.1.10.0):
> CVE-2009-5147
> CVE-2013-4363
> CVE-2014-4975
> CVE-2014-8080
> CVE-2014-8090
> CVE-2015-3900
> CVE-2015-7551
> CVE-2015-9096
> CVE-2017-0899
> CVE-2017-0900
> CVE-2017-0901
> CVE-2017-0902
> CVE-2017-0903
> CVE-2017-10784
> CVE-2017-14064
> CVE-2017-9224
> CVE-2017-9225
> CVE-2017-9226
> CVE-2017-9227
> CVE-2017-9228
> {code}
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java 
> implementation).
> Not all of them directly affects HBase but [~elserj] suggested that it is 
> better to be on the updated version to avoid issues during an audit in 
> security sensitive organization.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (HBASE-20582) Bump up the Jackson and Jruby version because of some reported vulnerabilities

Reply via email to