[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476161#comment-16476161 ]
Josh Elser commented on HBASE-20582: ------------------------------------ {quote}We shade it in our client, so hopefully. {quote} lol, right. Duh. :) {quote}the shading makes it worse in some sense, btw. since it's substantially harder for a downstream user to upgrade that version. {quote} My thinking was that when we "hide" Jackson, we take the onus to make sure we aren't shipping a version of Jackson which HBase itself is vulnerable to (e.g. when no Spring on the classpath, we're ok). I am expecting that a user with Spring on their classpath and our shaded Jackson version wouldn't be vulnerable to the CVE as a result of us (because they wouldn't know to use our version – they'd use their own at the normal Java coordinates). {quote}removing jackson from the client path makes sense, imho. {quote} Could swap out Jackson for a GSON (or any other lib). not sure if that's just trading one set of problems for another, ya know? > Bump up the Jackson and Jruby version because of some reported vulnerabilities > ------------------------------------------------------------------------------ > > Key: HBASE-20582 > URL: https://issues.apache.org/jira/browse/HBASE-20582 > Project: HBase > Issue Type: Bug > Reporter: Ankit Singhal > Assignee: Ankit Singhal > Priority: Major > Fix For: 2.1.0 > > Attachments: HBASE-20582.patch > > > There are some vulnerabilities reported with two of the libraries used in > HBase. > {code} > Jackson(version:2.9.2): > CVE-2017-17485 > CVE-2018-5968 > CVE-2018-7489 > Jruby(version:9.1.10.0): > CVE-2009-5147 > CVE-2013-4363 > CVE-2014-4975 > CVE-2014-8080 > CVE-2014-8090 > CVE-2015-3900 > CVE-2015-7551 > CVE-2015-9096 > CVE-2017-0899 > CVE-2017-0900 > CVE-2017-0901 > CVE-2017-0902 > CVE-2017-0903 > CVE-2017-10784 > CVE-2017-14064 > CVE-2017-9224 > CVE-2017-9225 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > {code} > Tool somehow able to relate the vulnerability of Ruby with JRuby(Java > implementation). > Not all of them directly affects HBase but [~elserj] suggested that it is > better to be on the updated version to avoid issues during an audit in > security sensitive organization. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)