[
https://issues.apache.org/jira/browse/KNOX-3218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-3218:
--------------------------------
Description:
Currently Knox uses Jersey 2.6, which is more than 10 years old and is subject
to [CVE-2020-15250|https://www.cve.org/CVERecord?id=CVE-2020-15250].
This dependency should be upgraded to 2.47 (the most recent on on the 2.x line).
was:
The currently used hadoop-common dependency includes Jersey dependencies which
cause the following dependency convergence errors:
{noformat}
2025-11-24 17:30:25 - ERROR-root::util|421:: Dependency convergence error for
org.glassfish.jersey.core:jersey-common:jar:2.6 paths to dependency are:
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-server:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-common:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-server:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-client:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-common:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.containers:jersey-container-servlet:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-common:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.containers:jersey-container-servlet:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-common:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.inject:jersey-hk2:jar:2.47:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-common:jar:2.47:compile
2025-11-24 17:30:25 - INFO-root::util|421::
2025-11-24 17:30:25 - INFO-root::util|421:: [ERROR]
2025-11-24 17:30:25 - ERROR-root::util|421:: Dependency convergence error for
org.glassfish.hk2:hk2-locator:jar:2.2.0 paths to dependency are:
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-server:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-common:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.hk2:hk2-locator:jar:2.2.0:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-server:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-client:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.hk2:hk2-locator:jar:2.2.0:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.core:jersey-server:jar:2.6:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.hk2:hk2-locator:jar:2.2.0:compile
2025-11-24 17:30:25 - INFO-root::util|421:: and
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.knox:gateway-spi:jar:3.0.0-SNAPSHOT
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.apache.hadoop:hadoop-common:jar:3.4.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.jersey.inject:jersey-hk2:jar:2.47:compile
2025-11-24 17:30:25 - INFO-root::util|421::
+-org.glassfish.hk2:hk2-locator:jar:2.6.1:compile
2025-11-24 17:30:25 - INFO-root::util|421::
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO]
------------------------------------------------------------------------
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] Reactor Summary:
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] build-tools 2.1.0-SNAPSHOT
......................... SUCCESS [06:53 min]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway 3.0.0-SNAPSHOT
........................... SUCCESS [02:54 min]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-test-utils
3.0.0-SNAPSHOT ................ SUCCESS [ 43.440 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-i18n 3.0.0-SNAPSHOT
...................... SUCCESS [ 4.999 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-util-common
3.0.0-SNAPSHOT ............... SUCCESS [ 17.962 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-util-configinjector
3.0.0-SNAPSHOT ....... SUCCESS [ 4.770 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-util-launcher
3.0.0-SNAPSHOT ............. SUCCESS [ 4.323 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-util-urltemplate
3.0.0-SNAPSHOT .......... SUCCESS [ 7.081 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-demo-ldap
3.0.0-SNAPSHOT ................. SUCCESS [ 37.964 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-demo-ldap-launcher
3.0.0-SNAPSHOT ........ SUCCESS [ 0.361 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-i18n-logging-log4j
3.0.0-SNAPSHOT ........ SUCCESS [ 2.796 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-i18n-logging-sl4j
3.0.0-SNAPSHOT ......... SUCCESS [ 2.886 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO] gateway-service-definitions
3.0.0-SNAPSHOT ....... SUCCESS [ 16.955 s]
2025-11-24 17:30:25 - INFO-root::util|421:: [INFO]
gateway-provider-rewrite-common 3.0.0-SNAPSHOT ... SUCCESS [ 5.112 s]
2025-11-24 17:30:25 - ERROR-root::util|421:: [INFO] gateway-spi 3.0.0-SNAPSHOT
....................... FAILURE [01:13 min]
{noformat}
We need to exclude all Jersey dependencies from {{hadoop-common}}, as Knox
controls its own versions of Jersey.
> Upgrade Jersey to 2.47
> ----------------------
>
> Key: KNOX-3218
> URL: https://issues.apache.org/jira/browse/KNOX-3218
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Affects Versions: 3.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently Knox uses Jersey 2.6, which is more than 10 years old and is
> subject to [CVE-2020-15250|https://www.cve.org/CVERecord?id=CVE-2020-15250].
> This dependency should be upgraded to 2.47 (the most recent on on the 2.x
> line).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
