[jira] [Commented] (HBASE-20582) Bump up the Jackson and Jruby version because of some reported vulnerabilities

Tue, 15 May 2018 09:46:18 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476147#comment-16476147
 ] 

Josh Elser commented on HBASE-20582:
------------------------------------

{quote}Jackson CVE's are remote-code execution grade issues, but actually seem 
to only be applicable when certain Spring or c3p0 libraries are on the 
classpath.
{quote}
I think this might be an issue for us in the 2.x line. Looking solely at us in 
HBase, we aren't affected by the Jackson CVEs.

However, since Jackson does exist client-side as well, we have to think about 
how our users will be using hbase-client and what dependencies they may have. 
In other words, a user may use Spring in their HBase application and have a 
problem where the necessary version of Jackson they need to avoid the security 
hole is incompatible with the one we ship. I think this leaves two questions:
 # Is Jackson shade-able?
 # Are there incompatibilities between Jackson 2.9.2 and 2.9.5?

I don't know the answer to either at this point.

> Bump up the Jackson and Jruby version because of some reported vulnerabilities
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-20582
>                 URL: https://issues.apache.org/jira/browse/HBASE-20582
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ankit Singhal
>            Assignee: Ankit Singhal
>            Priority: Major
>             Fix For: 2.1.0
>
>         Attachments: HBASE-20582.patch
>
>
> There are some vulnerabilities reported with two of the libraries used in 
> HBase.
> {code}
> Jackson(version:2.9.2):
> CVE-2017-17485
> CVE-2018-5968
> CVE-2018-7489
> Jruby(version:9.1.10.0):
> CVE-2009-5147
> CVE-2013-4363
> CVE-2014-4975
> CVE-2014-8080
> CVE-2014-8090
> CVE-2015-3900
> CVE-2015-7551
> CVE-2015-9096
> CVE-2017-0899
> CVE-2017-0900
> CVE-2017-0901
> CVE-2017-0902
> CVE-2017-0903
> CVE-2017-10784
> CVE-2017-14064
> CVE-2017-9224
> CVE-2017-9225
> CVE-2017-9226
> CVE-2017-9227
> CVE-2017-9228
> {code}
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java 
> implementation).
> Not all of them directly affects HBase but [~elserj] suggested that it is 
> better to be on the updated version to avoid issues during an audit in 
> security sensitive organization.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to