[
https://issues.apache.org/jira/browse/HBASE-29651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xavier Fernandis updated HBASE-29651:
-------------------------------------
Description:
h2. Overview
Sonatype security scan has identified multiple vulnerabilities in our current
JRuby version 9.4.12.1. These vulnerabilities pose security risks and require
immediate remediation through version upgrade.
h2. Impact Assessment
* *High Risk:* 3 critical vulnerabilities with CVSS 7+ scores
* *Attack Vectors:* Denial of Service, Memory Exhaustion, Regular Expression
DoS
* *Affected Components:* CGI gem, Net::IMAP library, REXML parser
* *Business Impact:* Potential service disruption, resource exhaustion
h2. Confirmed Fixes
* *CVE-2025-27219 & CVE-2025-27220:* Fixed in JRuby 9.4.14.0 (CGI gem updated
[https://github.com/jruby/jruby/pull/8954])
* *CVE-2025-43857:* Fixed in JRuby 9.4.13.0 (Net::IMAP updated to 0.2.5
[https://github.com/jruby/jruby/pull/8827])
h2. References
- [JRuby 9.4.14.0 Release
Notes]([https://github.com/jruby/jruby/releases/tag/9.4.14.0])
- [CVE-2025-27219 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27219])
- [CVE-2025-27220 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27220])
- [CVE-2025-43857 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-43857])
was:
h3. Overview
Sonatype security scan has identified multiple vulnerabilities in our current
JRuby version 9.4.12.1. These vulnerabilities pose security risks and require
immediate remediation through version upgrade.
h3. Impact Assessment
* *High Risk:* 3 critical vulnerabilities with CVSS 7+ scores
* *Attack Vectors:* Denial of Service, Memory Exhaustion, Regular Expression
DoS
* *Affected Components:* CGI gem, Net::IMAP library, REXML parser
* *Business Impact:* Potential service disruption, resource exhaustion
h3. Verified Fix Availability
Based on JRuby release notes analysis:
*Confirmed Fixes:*
* *CVE-2025-27219 & CVE-2025-27220:* Fixed in JRuby 9.4.14.0 (CGI gem updated
https://github.com/jruby/jruby/pull/8954)
* *CVE-2025-43857:* Fixed in JRuby 9.4.13.0 (Net::IMAP updated to 0.2.5
https://github.com/jruby/jruby/pull/8827)
h3. Recommended Solution
*Immediate Action Required:* Upgrade JRuby from 9.4.12.1 to *9.4.14.0*
### References
- [JRuby 9.4.14.0 Release
Notes](https://github.com/jruby/jruby/releases/tag/9.4.14.0)
- [CVE-2025-27219 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-27219)
- [CVE-2025-27220 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-27220)
- [CVE-2025-43857 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-43857)
> Security Vulnerabilities in JRuby 9.4.12.1 - Multiple CVEs Requiring Upgrade
> ----------------------------------------------------------------------------
>
> Key: HBASE-29651
> URL: https://issues.apache.org/jira/browse/HBASE-29651
> Project: HBase
> Issue Type: Bug
> Reporter: Xavier Fernandis
> Priority: Major
>
> h2. Overview
> Sonatype security scan has identified multiple vulnerabilities in our current
> JRuby version 9.4.12.1. These vulnerabilities pose security risks and require
> immediate remediation through version upgrade.
> h2. Impact Assessment
> * *High Risk:* 3 critical vulnerabilities with CVSS 7+ scores
> * *Attack Vectors:* Denial of Service, Memory Exhaustion, Regular Expression
> DoS
> * *Affected Components:* CGI gem, Net::IMAP library, REXML parser
> * *Business Impact:* Potential service disruption, resource exhaustion
> h2. Confirmed Fixes
> * *CVE-2025-27219 & CVE-2025-27220:* Fixed in JRuby 9.4.14.0 (CGI gem
> updated [https://github.com/jruby/jruby/pull/8954])
> * *CVE-2025-43857:* Fixed in JRuby 9.4.13.0 (Net::IMAP updated to 0.2.5
> [https://github.com/jruby/jruby/pull/8827])
> h2. References
> - [JRuby 9.4.14.0 Release
> Notes]([https://github.com/jruby/jruby/releases/tag/9.4.14.0])
> - [CVE-2025-27219 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27219])
> - [CVE-2025-27220 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27220])
> - [CVE-2025-43857 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-43857])
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
