[jira] [Created] (STORM-3918) Bump snakeyaml from 1.32 to 2.0

Alexandre Vermeerbergen (Jira) Fri, 12 May 2023 05:50:05 -0700

Alexandre Vermeerbergen created STORM-3918:
----------------------------------------------


             Summary: Bump snakeyaml from 1.32 to 2.0
                 Key: STORM-3918
                 URL: https://issues.apache.org/jira/browse/STORM-3918
             Project: Apache Storm
          Issue Type: Bug
          Components: storm-core
    Affects Versions: 2.4.0
            Reporter: Alexandre Vermeerbergen


Current snakeyaml version is vulnerable to 
[CVE-2022-1471|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471] 
which is rated [9.8 
CRITICAL|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-1471&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST]
 by NIST.

Trivial fix is to update to snakeyaml 2.0.

I tried to manually replace existing snakeyaml JAR with 2.0 version (but 
keeping the same JAR file name to avoid issue with potentially hard coded 
CLASSPATH), and then I restarted all Storm related processes (Nimbus, logview, 
Supervisor, Nimbus UI...) and deployed some topologies => everything worked fine

So it looks like a trivial task

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (STORM-3918) Bump snakeyaml from 1.32 to 2.0

Reply via email to