[jira] [Updated] (HBASE-25214) about hbase introduced fasterxml‘s jackson versions and vulnerabilities

openlookeng (Jira) Thu, 22 Oct 2020 06:11:50 -0700


     [ 
https://issues.apache.org/jira/browse/HBASE-25214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


openlookeng updated HBASE-25214:
--------------------------------
    Description: 
a lot of hbase component use htrace-core4, this htrace-core4 shaded fasterxml 
jackson(version 2.4.0)

[INFO] | +- 
org.apache.hbase.thirdparty:hbase-shaded-miscellaneous:jar:2.2.1:compile
 [INFO] | +- org.slf4j:slf4j-api:jar:1.7.29:compile
 [INFO] | +- commons-io:commons-io:jar:2.6:compile
 [INFO] | +- 
{color:#ff0000}org.apache.htrace:htrace-core4:jar:4.2.0-incubating:compile{color}
 [INFO] | +- org.apache.commons:commons-crypto:jar:1.0.0:compile
 [INFO] | +- 
com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile
 [INFO] | +- log4j:log4j:jar:1.2.17:compile
 [INFO] | - org.apache.yetus:audience-annotations:jar:0.5.0:compile

 

as you known fasterxml  jackson component is frequently coming out new 
vulnerabilities, like   
CVE-2016-7051、CVE-2016-3720、CVE-2018-5968、CVE-2018-11307、CVE-2018-7489、CVE-2019-14893、CVE-2019-14379、CVE-2020-14195、CVE-2020-14061、CVE-2020-8840、CVE-2019-14540、CVE-2020-10968、CVE-2020-11619、CVE-2019-17531、CVE-2019-16943、CVE-2020-14062、CVE-2020-14060、CVE-2020-11111、CVE-2019-16942、CVE-2020-9546、CVE-2020-9548、CVE-2019-12384、CVE-2020-10673、CVE-2020-24750、CVE-2019-16335、CVE-2019-14439、CVE-2020-10969、CVE-2020-11112、CVE-2019-12086、CVE-2019-20330、CVE-2019-17267、CVE-2020-9547、CVE-2020-11113、CVE-2020-10672、CVE-2020-11620、CVE-2020-24616、CVE-2018-19362、CVE-2018-19361、CVE-2018-19360、CVE-2018-14721、CVE-2018-14720、CVE-2018-14719、CVE-2018-14718、CVE-2018-1000873、CVE-2017-7525、CVE-2017-17485、CVE-2017-15095，CVE-2019-12814

htrace-core4 is closed 4 years ago,  what about this component's 
vulnerabilities, did hbase have plan to do with this？

 

 

 

  was:
a lot of hbase component use htrace-core4, this htrace-core4 shaded fasterxml 
jackson(version 2.4.0)

[INFO] | +- 
org.apache.hbase.thirdparty:hbase-shaded-miscellaneous:jar:2.2.1:compile
 [INFO] | +- org.slf4j:slf4j-api:jar:1.7.29:compile
 [INFO] | +- commons-io:commons-io:jar:2.6:compile
 [INFO] | +- 
{color:#ff0000}org.apache.htrace:htrace-core4:jar:4.2.0-incubating:compile{color}
 [INFO] | +- org.apache.commons:commons-crypto:jar:1.0.0:compile
 [INFO] | +- 
com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile
 [INFO] | +- log4j:log4j:jar:1.2.17:compile
 [INFO] | - org.apache.yetus:audience-annotations:jar:0.5.0:compile

 

as you known fasterxml  jackson component is frequently coming out new 
vulnerabilities, like   
CVE-2016-7051、CVE-2016-3720、CVE-2018-5968、CVE-2018-11307、CVE-2018-7489、CVE-2019-14893、CVE-2019-14379、CVE-2020-14195、CVE-2020-14061、CVE-2020-8840、CVE-2019-14540、CVE-2020-10968、CVE-2020-11619、CVE-2019-17531、CVE-2019-16943、CVE-2020-14062、CVE-2020-14060、CVE-2020-11111、CVE-2019-16942、CVE-2020-9546、CVE-2020-9548、CVE-2019-12384、CVE-2020-10673、CVE-2020-24750、CVE-2019-16335、CVE-2019-14439、CVE-2020-10969、CVE-2020-11112、CVE-2019-12086、CVE-2019-20330、CVE-2019-17267、CVE-2020-9547、CVE-2020-11113、CVE-2020-10672、CVE-2020-11620、CVE-2020-24616、CVE-2018-19362、CVE-2018-19361、CVE-2018-19360、CVE-2018-14721、CVE-2018-14720、CVE-2018-14719、CVE-2018-14718、CVE-2018-1000873、CVE-2017-7525、CVE-2017-17485、CVE-2017-15095

htrace-core4 is closed 4 years ago,  what about this component's 
vulnerabilities, did hbase have plan to do with this？

 

 

 


> about hbase introduced fasterxml‘s jackson versions and vulnerabilities 
> ------------------------------------------------------------------------
>
>                 Key: HBASE-25214
>                 URL: https://issues.apache.org/jira/browse/HBASE-25214
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: openlookeng
>            Priority: Blocker
>
> a lot of hbase component use htrace-core4, this htrace-core4 shaded fasterxml 
> jackson(version 2.4.0)
> [INFO] | +- 
> org.apache.hbase.thirdparty:hbase-shaded-miscellaneous:jar:2.2.1:compile
>  [INFO] | +- org.slf4j:slf4j-api:jar:1.7.29:compile
>  [INFO] | +- commons-io:commons-io:jar:2.6:compile
>  [INFO] | +- 
> {color:#ff0000}org.apache.htrace:htrace-core4:jar:4.2.0-incubating:compile{color}
>  [INFO] | +- org.apache.commons:commons-crypto:jar:1.0.0:compile
>  [INFO] | +- 
> com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile
>  [INFO] | +- log4j:log4j:jar:1.2.17:compile
>  [INFO] | - org.apache.yetus:audience-annotations:jar:0.5.0:compile
>  
> as you known fasterxml  jackson component is frequently coming out new 
> vulnerabilities, like   
> CVE-2016-7051、CVE-2016-3720、CVE-2018-5968、CVE-2018-11307、CVE-2018-7489、CVE-2019-14893、CVE-2019-14379、CVE-2020-14195、CVE-2020-14061、CVE-2020-8840、CVE-2019-14540、CVE-2020-10968、CVE-2020-11619、CVE-2019-17531、CVE-2019-16943、CVE-2020-14062、CVE-2020-14060、CVE-2020-11111、CVE-2019-16942、CVE-2020-9546、CVE-2020-9548、CVE-2019-12384、CVE-2020-10673、CVE-2020-24750、CVE-2019-16335、CVE-2019-14439、CVE-2020-10969、CVE-2020-11112、CVE-2019-12086、CVE-2019-20330、CVE-2019-17267、CVE-2020-9547、CVE-2020-11113、CVE-2020-10672、CVE-2020-11620、CVE-2020-24616、CVE-2018-19362、CVE-2018-19361、CVE-2018-19360、CVE-2018-14721、CVE-2018-14720、CVE-2018-14719、CVE-2018-14718、CVE-2018-1000873、CVE-2017-7525、CVE-2017-17485、CVE-2017-15095，CVE-2019-12814
> htrace-core4 is closed 4 years ago,  what about this component's 
> vulnerabilities, did hbase have plan to do with this？
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (HBASE-25214) about hbase introduced fasterxml‘s jackson versions and vulnerabilities

Reply via email to