Xavier Fernandis created HBASE-29651:
----------------------------------------
Summary: Security Vulnerabilities in JRuby 9.4.12.1 - Multiple
CVEs Requiring Upgrade
Key: HBASE-29651
URL: https://issues.apache.org/jira/browse/HBASE-29651
Project: HBase
Issue Type: Bug
Reporter: Xavier Fernandis
h3. Overview
Sonatype security scan has identified multiple vulnerabilities in our current
JRuby version 9.4.12.1. These vulnerabilities pose security risks and require
immediate remediation through version upgrade.
h3. Impact Assessment
* *High Risk:* 3 critical vulnerabilities with CVSS 7+ scores
* *Attack Vectors:* Denial of Service, Memory Exhaustion, Regular Expression
DoS
* *Affected Components:* CGI gem, Net::IMAP library, REXML parser
* *Business Impact:* Potential service disruption, resource exhaustion
h3. Verified Fix Availability
Based on JRuby release notes analysis:
*Confirmed Fixes:*
* *CVE-2025-27219 & CVE-2025-27220:* Fixed in JRuby 9.4.14.0 (CGI gem updated
https://github.com/jruby/jruby/pull/8954)
* *CVE-2025-43857:* Fixed in JRuby 9.4.13.0 (Net::IMAP updated to 0.2.5
https://github.com/jruby/jruby/pull/8827)
h3. Recommended Solution
*Immediate Action Required:* Upgrade JRuby from 9.4.12.1 to *9.4.14.0*
### References
- [JRuby 9.4.14.0 Release
Notes](https://github.com/jruby/jruby/releases/tag/9.4.14.0)
- [CVE-2025-27219 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-27219)
- [CVE-2025-27220 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-27220)
- [CVE-2025-43857 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-43857)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
