[jira] [Commented] (HDFS-15333) Vulnerability fixes need for jackson-databinding HDFS dependency library

Wed, 13 May 2020 20:28:43 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-15333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17106840#comment-17106840
 ] 

Masatake Iwasaki commented on HDFS-15333:
-----------------------------------------

{quote}
We should just remove htrace from dependency.
{quote}

Sure, while it would not be urgent. Both htrace-core-3.1.0 and 
htrace-core4-4.1.0 has relocated jackson whicn is not exposed as transitive 
dependency. No JSON deserialization is involved the code path. Even JSON 
serialization is only used in specific span receivers which is barely used.

> Vulnerability fixes need for jackson-databinding HDFS dependency library
> ------------------------------------------------------------------------
>
>                 Key: HDFS-15333
>                 URL: https://issues.apache.org/jira/browse/HDFS-15333
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.2.1
>         Environment: [^hdfs_imagescan_result.csv]
>            Reporter: Hridesh
>            Priority: Critical
>         Attachments: hdfs_imagescan_result.csv
>
>
> HDFS has couple of dependency which is having jackson library  with 
> vulnerability. 
> Below are list of library used by HDFS which is having vulnerability:
>  * htrace-core4-4.1.0-incubating.jar:jackson-databind
>  * htrace-core-3.1.0-incubating.jar:jackson-databind
>  * aws-java-sdk-bundle-1.11.375.jar:jackson-databind
>  * hadoop-client-runtime-3.2.1.jar:jackson-databind
>  * jackson-databind-2.9.8.jar
>  * hadoop-client-runtime-3.2.1.jar:jackson-databind
>  
> For example:  "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM 
> URL: 
> [https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.]
>  
> Jackson version < 2.9.1 has below list of vulnerabilities:
> CVE-2019-14379
> CVE-2019-16335
> CVE-2019-17531
> CVE-2019-14540
> CVE-2018-11307
> CVE-2019-12402
> CVE-2018-7489
> CVE-2018-12022
> CVE-2019-14439
> CVE-2017-15095
> CVE-2017-7525
> CVE-2017-17485
>  
> Attaching image scan result file.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to