[
https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17153209#comment-17153209
]
weiyanen edited comment on HDFS-15333 at 7/8/20, 3:40 AM:
----------------------------------------------------------
So NOW, how can I resolve this vulnerability problem?
I've used htrace-core4-4.1.0-incubating and it used jackson 2.4.0 which has
vulnerability issues.
I must use htrace-core4-4.1.0-incubating, otherwise, I would get an error for
"org/apache/htrace/core/Tracer$Builder Context: java.lang.NoClassDefFoundError:
org/apache/htrace/core/Tracer$Builder".
Can we just ignore the Vulnerability Issue although code scan throw out this
issue? Because "No JSON deserialization is involved the code path. Even JSON
serialization is only used in specific span receivers which is barely used."
was (Author: weiyanen):
So NOW, how can I resolve this vulnerability problem?
I've used htrace-core4-4.1.0-incubating and it used jackson 2.4.0 which has
vulnerability issues.
I must use htrace-core4-4.1.0-incubating, otherwise, I would get an error for
"org/apache/htrace/core/Tracer$Builder Context: java.lang.NoClassDefFoundError:
org/apache/htrace/core/Tracer$Builder".
> Vulnerability fixes need for jackson-databinding HDFS dependency library
> ------------------------------------------------------------------------
>
> Key: HDFS-15333
> URL: https://issues.apache.org/jira/browse/HDFS-15333
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.2.1
> Environment: [^hdfs_imagescan_result.csv]
> Reporter: Hridesh
> Priority: Critical
> Attachments: hdfs_imagescan_result.csv
>
>
> HDFS has couple of dependency which is having jackson library with
> vulnerability.
> Below are list of library used by HDFS which is having vulnerability:
> * htrace-core4-4.1.0-incubating.jar:jackson-databind
> * htrace-core-3.1.0-incubating.jar:jackson-databind
> * aws-java-sdk-bundle-1.11.375.jar:jackson-databind
> * hadoop-client-runtime-3.2.1.jar:jackson-databind
> * jackson-databind-2.9.8.jar
> * hadoop-client-runtime-3.2.1.jar:jackson-databind
>
> For example: "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM
> URL:
> [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.]
>
> Jackson version < 2.9.1 has below list of vulnerabilities:
> CVE-2019-14379
> CVE-2019-16335
> CVE-2019-17531
> CVE-2019-14540
> CVE-2018-11307
> CVE-2019-12402
> CVE-2018-7489
> CVE-2018-12022
> CVE-2019-14439
> CVE-2017-15095
> CVE-2017-7525
> CVE-2017-17485
>
> Attaching image scan result file.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
