[
https://issues.apache.org/jira/browse/HBASE-27817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716855#comment-17716855
]
Geoffrey Jacoby commented on HBASE-27817:
-----------------------------------------
This was also something we wanted to do in Phoenix recently, but decided to
postpone so we stayed in sync with HBase's dependencies. So HBase upgrading
would also allow Phoenix to upgrade as well.
> Migrate javax.el:3.0.1-b08 to jakarta.el-4.0.2
> ----------------------------------------------
>
> Key: HBASE-27817
> URL: https://issues.apache.org/jira/browse/HBASE-27817
> Project: HBase
> Issue Type: Task
> Affects Versions: 3.0.0-alpha-4, 2.5.5, 2.4.18
> Reporter: Wes Schuitema
> Priority: Trivial
>
> The javax.el artifact contains a CVE: [CVE-2021-28170.
> |https://nvd.nist.gov/vuln/detail/CVE-2021-28170]The CVE itself is not a big
> issue since we're pre-compiling our JSP pages when building HBase, no user
> input is parsed which reduces the risk considerably.
> The org.glassfish:javax.el artifact was moved to org.glassfish:jakarta.el,
> which means a migration to get rid of the CVE.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
