[jira] [Commented] (HDFS-15333) Vulnerability fixes need for jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17153524#comment-17153524 ] Masatake Iwasaki commented on HDFS-15333: - You can use newer jackson with htrace-core4-4.1.0-incubating. Recent Hadoop bundles 2.10.x of jackson-core and jackson-databind. If you are using htrace-core4-4.1.0-incubating for your product, you can exclude them from transitive dependencies in the pom. If your product itself needs jackson-core/jackson-databind, you can set the dependency version to newer one as Hadoop do. > Vulnerability fixes need for jackson-databinding HDFS dependency library > > > Key: HDFS-15333 > URL: https://issues.apache.org/jira/browse/HDFS-15333 > Project: Hadoop HDFS > Issue Type: Improvement > Components: security >Affects Versions: 3.2.1 > Environment: [^hdfs_imagescan_result.csv] >Reporter: Hridesh >Priority: Critical > Attachments: hdfs_imagescan_result.csv > > > HDFS has couple of dependency which is having jackson library with > vulnerability. > Below are list of library used by HDFS which is having vulnerability: > * htrace-core4-4.1.0-incubating.jar:jackson-databind > * htrace-core-3.1.0-incubating.jar:jackson-databind > * aws-java-sdk-bundle-1.11.375.jar:jackson-databind > * hadoop-client-runtime-3.2.1.jar:jackson-databind > * jackson-databind-2.9.8.jar > * hadoop-client-runtime-3.2.1.jar:jackson-databind > > For example: "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM > URL: > [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.] > > Jackson version < 2.9.1 has below list of vulnerabilities: > CVE-2019-14379 > CVE-2019-16335 > CVE-2019-17531 > CVE-2019-14540 > CVE-2018-11307 > CVE-2019-12402 > CVE-2018-7489 > CVE-2018-12022 > CVE-2019-14439 > CVE-2017-15095 > CVE-2017-7525 > CVE-2017-17485 > > Attaching image scan result file. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-15333) Vulnerability fixes need for jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17153209#comment-17153209 ] weiyanen commented on HDFS-15333: - So NOW, how can I resolve this vulnerability problem? I've used htrace-core4-4.1.0-incubating and it used jackson 2.4.0 which has vulnerability issues. I must use htrace-core4-4.1.0-incubating, otherwise, I would get an error for "org/apache/htrace/core/Tracer$Builder Context: java.lang.NoClassDefFoundError: org/apache/htrace/core/Tracer$Builder". > Vulnerability fixes need for jackson-databinding HDFS dependency library > > > Key: HDFS-15333 > URL: https://issues.apache.org/jira/browse/HDFS-15333 > Project: Hadoop HDFS > Issue Type: Improvement > Components: security >Affects Versions: 3.2.1 > Environment: [^hdfs_imagescan_result.csv] >Reporter: Hridesh >Priority: Critical > Attachments: hdfs_imagescan_result.csv > > > HDFS has couple of dependency which is having jackson library with > vulnerability. > Below are list of library used by HDFS which is having vulnerability: > * htrace-core4-4.1.0-incubating.jar:jackson-databind > * htrace-core-3.1.0-incubating.jar:jackson-databind > * aws-java-sdk-bundle-1.11.375.jar:jackson-databind > * hadoop-client-runtime-3.2.1.jar:jackson-databind > * jackson-databind-2.9.8.jar > * hadoop-client-runtime-3.2.1.jar:jackson-databind > > For example: "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM > URL: > [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.] > > Jackson version < 2.9.1 has below list of vulnerabilities: > CVE-2019-14379 > CVE-2019-16335 > CVE-2019-17531 > CVE-2019-14540 > CVE-2018-11307 > CVE-2019-12402 > CVE-2018-7489 > CVE-2018-12022 > CVE-2019-14439 > CVE-2017-15095 > CVE-2017-7525 > CVE-2017-17485 > > Attaching image scan result file. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-15333) Vulnerability fixes need for jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17106840#comment-17106840 ] Masatake Iwasaki commented on HDFS-15333: - {quote} We should just remove htrace from dependency. {quote} Sure, while it would not be urgent. Both htrace-core-3.1.0 and htrace-core4-4.1.0 has relocated jackson whicn is not exposed as transitive dependency. No JSON deserialization is involved the code path. Even JSON serialization is only used in specific span receivers which is barely used. > Vulnerability fixes need for jackson-databinding HDFS dependency library > > > Key: HDFS-15333 > URL: https://issues.apache.org/jira/browse/HDFS-15333 > Project: Hadoop HDFS > Issue Type: Improvement > Components: security >Affects Versions: 3.2.1 > Environment: [^hdfs_imagescan_result.csv] >Reporter: Hridesh >Priority: Critical > Attachments: hdfs_imagescan_result.csv > > > HDFS has couple of dependency which is having jackson library with > vulnerability. > Below are list of library used by HDFS which is having vulnerability: > * htrace-core4-4.1.0-incubating.jar:jackson-databind > * htrace-core-3.1.0-incubating.jar:jackson-databind > * aws-java-sdk-bundle-1.11.375.jar:jackson-databind > * hadoop-client-runtime-3.2.1.jar:jackson-databind > * jackson-databind-2.9.8.jar > * hadoop-client-runtime-3.2.1.jar:jackson-databind > > For example: "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM > URL: > [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.] > > Jackson version < 2.9.1 has below list of vulnerabilities: > CVE-2019-14379 > CVE-2019-16335 > CVE-2019-17531 > CVE-2019-14540 > CVE-2018-11307 > CVE-2019-12402 > CVE-2018-7489 > CVE-2018-12022 > CVE-2019-14439 > CVE-2017-15095 > CVE-2017-7525 > CVE-2017-17485 > > Attaching image scan result file. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org