[ https://issues.apache.org/jira/browse/STORM-3754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla closed STORM-3754. ---------------------------------- Fix Version/s: 2.6.0 Resolution: Fixed We upgraded Guava in the context of 2.6.0 > Upgrade Guava version because of security vulnerability > ------------------------------------------------------- > > Key: STORM-3754 > URL: https://issues.apache.org/jira/browse/STORM-3754 > Project: Apache Storm > Issue Type: Improvement > Components: storm-hdfs, storm-hive > Reporter: Bipin Prasad > Priority: Minor > Fix For: 2.6.0 > > > storm-hdfs-examples and storm-hive-examples use com.google.guava:guava:16.0.1 > This has know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-10237 > "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 > allows remote attackers to conduct denial of service attack." > The guava version downgrade was required earlier because of hadoop-hdfs 2.6.1. > Since storm is now using hadoop-hdfs 2.8.5, this downgrade may not be > necessary. > It is possible that the a separate jar may need to be added as dependency > com.google.guava:failureaccess:1.0. See > https://github.com/google/guava/releases around Oct 18, 2018 when Guava > version 27.0 was released. Note that Hadoop HDFS 2.8.5 was released on Sep 8, > 2018 (i.e. before the guava version 27.0). -- This message was sent by Atlassian Jira (v8.20.10#820010)