Hello Team, We are planning to upgrade to HDFS 3.4.0 (client side) which fixes majority of the CVEs listed by our scan reports. However we have three CVEs on transitive 3PPs included in hadoop-common which are not fixed in HDFS v3.4.0.
Our query is that if we update the individual transitive 3PPs to the versions in which CVEs are fixed, then Is HDFS client 3.4.0 compatible with these versions? For example, Is HDFS client 3.4.0 compatible with commons-compress-1.26.0 and apache-avro-1.11.3? CVE Id Current Version - HDFS 3.3.6 Updated version - HDFS3.4.0 CVE Fixed in 3pp Version Severity CVE-2024-25710 commons-compress-1.21 commons-compress-1.24.0 commons-compress-1.26.0 High CVE-2024-26308 commons-compress-1.21 commons-compress-1.24.0 commons-compress-1.26.0 High CVE-2023-39410 avro:1.7.7 avro:1.9.2 apache-avro version 1.11.3 High Regards Sonal Sharma
