[
https://issues.apache.org/jira/browse/PHOENIX-5078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16742463#comment-16742463
]
Andrew Purtell commented on PHOENIX-5078:
-----------------------------------------
Shade Guava. Use the version we need.
> Phoenix depends on Guava 13.0.1 which has CVE-2018-10237
> --------------------------------------------------------
>
> Key: PHOENIX-5078
> URL: https://issues.apache.org/jira/browse/PHOENIX-5078
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.14.1
> Reporter: Jerry Chabot
> Priority: Major
>
> Phoenix has a dependency on guava 13.0.1. This
> cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237 specifies a
> vulnerability in Guava 11.0 through 24.x. It is an unbounded memory
> allocation that allows remote attackers to conduct denial of service attacks.
> Does this apply to Phoenix?
> I want to upgrade our product dependency on Guava. But, doing so had caused
> problems with Phoenix in the past. Currently, our product's quava dependency
> has been stuck at Guava 15.0 to avoid Phoenix issues.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
