[
https://issues.apache.org/jira/browse/STORM-3754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Zowalla closed STORM-3754.
----------------------------------
Fix Version/s: 2.6.0
Resolution: Fixed
We upgraded Guava in the context of 2.6.0
> Upgrade Guava version because of security vulnerability
> -------------------------------------------------------
>
> Key: STORM-3754
> URL: https://issues.apache.org/jira/browse/STORM-3754
> Project: Apache Storm
> Issue Type: Improvement
> Components: storm-hdfs, storm-hive
> Reporter: Bipin Prasad
> Priority: Minor
> Fix For: 2.6.0
>
>
> storm-hdfs-examples and storm-hive-examples use com.google.guava:guava:16.0.1
> This has know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-10237
> "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1
> allows remote attackers to conduct denial of service attack."
> The guava version downgrade was required earlier because of hadoop-hdfs 2.6.1.
> Since storm is now using hadoop-hdfs 2.8.5, this downgrade may not be
> necessary.
> It is possible that the a separate jar may need to be added as dependency
> com.google.guava:failureaccess:1.0. See
> https://github.com/google/guava/releases around Oct 18, 2018 when Guava
> version 27.0 was released. Note that Hadoop HDFS 2.8.5 was released on Sep 8,
> 2018 (i.e. before the guava version 27.0).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
