[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476079#comment-16476079 ]
Josh Elser commented on HBASE-20582: ------------------------------------ Jackson CVE's are remote-code execution grade issues, but actually seem to only be applicable when certain Spring or c3p0 libraries are on the classpath. I think I missed that these were only applicable sometimes. However, it seems like our use jackson client-side is pretty bogus too. We have it solely for some JSON representation of JMX MBeans which are only used server-side that I can tell. I think we could move this to hbase-http and avoid Jackson client side entirely (for non-shaded clients, obviously) which should remove concern for us controlling Jackson version, right? The Ruby CVEs are very.. obtuse. JRuby appears to copy the stdlib from MRI Ruby, at which point we should be trusting JRuby to tell us when we need to upgrade. However, their security page was last updated in 2011 (sigh). Most CVEs in this list appear to not affect us, but CVE-2017-10784 might. It seems like our 9.1.10.0 version has stdlib from Ruby 2.3.5 and this hasn't changed. The version of RubyGems has changed slightly in newer versions (2.6.11 to 2.6.14) For JRuby, this is all to say, I think the risk is less purely because we're not running some daemon/service; the vector is a user running untrusted code and shooting themselves in the foot. I think avoiding the JRuby upgrade for 2.0.x is fine. But for 2.1.x it would be good ([~Apache9])? If nothing else, for master. > Bump up the Jackson and Jruby version because of some reported vulnerabilities > ------------------------------------------------------------------------------ > > Key: HBASE-20582 > URL: https://issues.apache.org/jira/browse/HBASE-20582 > Project: HBase > Issue Type: Bug > Reporter: Ankit Singhal > Assignee: Ankit Singhal > Priority: Major > Fix For: 2.1.0 > > Attachments: HBASE-20582.patch > > > There are some vulnerabilities reported with two of the libraries used in > HBase. > {code} > Jackson(version:2.9.2): > CVE-2017-17485 > CVE-2018-5968 > CVE-2018-7489 > Jruby(version:9.1.10.0): > CVE-2009-5147 > CVE-2013-4363 > CVE-2014-4975 > CVE-2014-8080 > CVE-2014-8090 > CVE-2015-3900 > CVE-2015-7551 > CVE-2015-9096 > CVE-2017-0899 > CVE-2017-0900 > CVE-2017-0901 > CVE-2017-0902 > CVE-2017-0903 > CVE-2017-10784 > CVE-2017-14064 > CVE-2017-9224 > CVE-2017-9225 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > {code} > Tool somehow able to relate the vulnerability of Ruby with JRuby(Java > implementation). > Not all of them directly affects HBase but [~elserj] suggested that it is > better to be on the updated version to avoid issues during an audit in > security sensitive organization. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)