rmoff opened a new issue, #15621: URL: https://github.com/apache/iceberg/issues/15621
> [!NOTE] > This analysis was performed with the assistance of Claude Opus 4.6 (Anthropic). ## Summary The Kafka Connect runtime distribution includes `parquet-jackson-1.17.0.jar` which shades `com.fasterxml.jackson.core:jackson-core:2.19.2`. This version is affected by [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq) (HIGH severity). The vulnerability is in the non-blocking (async) JSON parser, which bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion (DoS). Note: Iceberg's own direct `jackson-core` dependency is already at 2.21.1 (fixed). This issue is specifically about the **shaded copy** inside `parquet-jackson`. ## Reproducing Build the Kafka Connect runtime distribution and scan with Trivy: ```bash # Build from main ./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip -x test -x integrationTest # Unzip the distribution unzip -q kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip -d /tmp/iceberg-kc-scan # Scan with Trivy (use rootfs mode for standalone JAR detection) trivy rootfs /tmp/iceberg-kc-scan/iceberg-kafka-connect-runtime-*/lib/ -s HIGH,CRITICAL --scanners vuln ``` Trivy output (relevant finding): ``` parquet-jackson-1.17.0.jar (jar) Total: 1 (HIGH: 1, CRITICAL: 0) ┌──────────────────────────────────────┬─────────────────────┬──────────┬──────────┬───────────────────────┬───────────────┐ │ Library │ Vulnerability │ Severity │ Version │ Fixed Version │ Title │ ├──────────────────────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────────┼───────────────┤ │ com.fasterxml.jackson.core: │ GHSA-72hv-8253-57qq │ HIGH │ 2.19.2 │ 2.18.6, 2.21.1, 3.1.0│ jackson-core: │ │ jackson-core │ │ │ │ │ Number Length │ │ │ │ │ │ │ Constraint │ │ │ │ │ │ │ Bypass ... │ └──────────────────────────────────────┴─────────────────────┴──────────┴──────────┴───────────────────────┴───────────────┘ ``` ## Analysis The vulnerable `jackson-core:2.19.2` is **shaded inside** `parquet-jackson-1.17.0.jar`. This means it cannot be fixed by overriding the jackson-core version in Iceberg's dependency management — it requires an upstream Parquet release with an updated shaded jackson-core. ### Dependency chain `parquet-jackson:1.17.0` (containing shaded `jackson-core:2.19.2`) is pulled in transitively by: - `iceberg-parquet` → `parquet-hadoop:1.17.0` → `parquet-jackson:1.17.0` ### Upstream tracking - **parquet-java issue:** [apache/parquet-java#3410](https://github.com/apache/parquet-java/issues/3410) — filed March 2, 2026, no response yet - Latest parquet-java release is 1.17.0 (January 13, 2026), which predates this advisory (February 28, 2026) ## Blocked on - A new `parquet-java` release that bumps the shaded jackson-core to >= 2.21.1 ## References - Advisory: https://github.com/FasterXML/jackson-core/security/advisories/GHSA-72hv-8253-57qq - Upstream fix PR: https://github.com/FasterXML/jackson-core/pull/1555 - Parquet tracking issue: https://github.com/apache/parquet-java/issues/3410 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
