[
https://issues.apache.org/jira/browse/HBASE-28099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17767014#comment-17767014
]
Duo Zhang commented on HBASE-28099:
-----------------------------------
For hbase, typically we use shaded protobuf, in hbase-thirdparty, we can
currently planning a new release which we will bump the protobuf version to
3.24.3.
See HBASE-28093.
But unfortunately, hbase still need protobuf 2.5 for supporting coprocessor
endpoints, There is an issue for tracking the problem HBASE-27436, but there is
still no big progress yet. It is not easy to fix without breaking
compatibility...
Thanks.
> protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and
> 3.16.3 is vulnerable to CVE-2022-3509
> --------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-28099
> URL: https://issues.apache.org/jira/browse/HBASE-28099
> Project: HBase
> Issue Type: Bug
> Components: hadoop2
> Affects Versions: 2.4.13
> Reporter: kaushik mandal
> Priority: Major
>
> protobuf-java 3.23.2 causing increasing disk usage. Because of this we are
> not in position to upgrade protobuf to latest version.
> we are currently using hbase 2.4.13 which uses protobuf version older than
> 3.23.2 which is vulnerable to cve.
> is there any latest hbase and hadoop version available which is using
> protobuf version 3.23.2?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
