[
https://issues.apache.org/jira/browse/HBASE-23834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17035931#comment-17035931
]
Wei-Chiu Chuang commented on HBASE-23834:
-----------------------------------------
Yeah, make sense to me. The CVE has a 7.5 High score. Worth dropping support
for older Hadoop that doesn't have this.
We probably should update Jetty in Hadoop 2.10.... at this point there's little
attention paid to Hadoop 2.9/2.8.
> HBase fails to run on Hadoop 3.3.0/3.2.2/3.1.4 due to jetty version mismatch
> ----------------------------------------------------------------------------
>
> Key: HBASE-23834
> URL: https://issues.apache.org/jira/browse/HBASE-23834
> Project: HBase
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Priority: Major
>
> HBase master branch is currently on Jetty 9.3, and latest Hadoop 3
> (unreleased branches trunk, branch-3.2 and branch-3.1) bumped Jetty to 9.4 to
> address a vulnerability CVE-2017-9735.
> (1) Jetty 9.3 and 9.4 are quite different (there are incompatible API
> changes) and HBase won't start on the latest Hadoop 3.
> (2) In any case, HBase should update its Jetty dependency to address the
> vulnerability.
> Fortunately for HBase, updating to Jetty 9.4 requires no code change other
> than the maven version string.
> More tests are needed to verify if HBase can run on older Hadoop versions if
> its Jetty is updated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
