[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ankit Singhal updated HBASE-20582: ---------------------------------- Description: There are some vulnerabilities reported with two of the libraries used in HBase. {code} Jackson(version:2.9.2): CVE-2017-17485 CVE-2018-5968 CVE-2018-7489 Jruby(version:9.1.10.0): CVE-2009-5147 CVE-2013-4363 CVE-2014-4975 CVE-2014-8080 CVE-2014-8090 CVE-2015-3900 CVE-2015-7551 CVE-2015-9096 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 CVE-2017-10784 CVE-2017-14064 CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 {code} Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). Not all of them directly affects HBase but [~elserj] suggested that it is better to be on the updated version to avoid issues during an audit in security sensitive organization. was: There are some vulnerabilities reported with two of the libraries used in HBase. {code} Jackson(version:2.9.2): CVE-2017-17485 CVE-2018-5968 CVE-2018-7489 Jruby(version:9.1.10.0): CVE-2009-5147 CVE-2013-4363 CVE-2014-4975 CVE-2014-8080 CVE-2014-8090 CVE-2015-3900 CVE-2015-7551 CVE-2015-9096 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 CVE-2017-10784 CVE-2017-14064 CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 {code} Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). Not all of them directly affects HBase but it is better to be on the updated version to avoid issues during an audit in security sensitive organization. > Bump up the Jackson and Jruby version because of some reported vulnerabilities > ------------------------------------------------------------------------------ > > Key: HBASE-20582 > URL: https://issues.apache.org/jira/browse/HBASE-20582 > Project: HBase > Issue Type: Bug > Reporter: Ankit Singhal > Assignee: Ankit Singhal > Priority: Major > Fix For: 2.1.0 > > Attachments: HBASE-20582.patch > > > There are some vulnerabilities reported with two of the libraries used in > HBase. > {code} > Jackson(version:2.9.2): > CVE-2017-17485 > CVE-2018-5968 > CVE-2018-7489 > Jruby(version:9.1.10.0): > CVE-2009-5147 > CVE-2013-4363 > CVE-2014-4975 > CVE-2014-8080 > CVE-2014-8090 > CVE-2015-3900 > CVE-2015-7551 > CVE-2015-9096 > CVE-2017-0899 > CVE-2017-0900 > CVE-2017-0901 > CVE-2017-0902 > CVE-2017-0903 > CVE-2017-10784 > CVE-2017-14064 > CVE-2017-9224 > CVE-2017-9225 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > {code} > Tool somehow able to relate the vulnerability of Ruby with JRuby(Java > implementation). > Not all of them directly affects HBase but [~elserj] suggested that it is > better to be on the updated version to avoid issues during an audit in > security sensitive organization. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)