[jira] [Commented] (RATIS-294) Fix ratis-hadoop CVEs

Tsz Wo Nicholas Sze (JIRA) Thu, 27 Sep 2018 10:55:09 -0700


    [ 
https://issues.apache.org/jira/browse/RATIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16630796#comment-16630796
 ]


Tsz Wo Nicholas Sze commented on RATIS-294:
-------------------------------------------

Here is a link: 
https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=22215

> Fix ratis-hadoop CVEs
> ---------------------
>
>                 Key: RATIS-294
>                 URL: https://issues.apache.org/jira/browse/RATIS-294
>             Project: Ratis
>          Issue Type: Improvement
>          Components: HadoopRPC
>            Reporter: Tsz Wo Nicholas Sze
>            Assignee: Tsz Wo Nicholas Sze
>            Priority: Blocker
>              Labels: ozone
>         Attachments: r294_20180921.patch
>
>
> There are multiple CVEs found in ratis-hadoop.
> - CVE-2012-4449  |  High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2016-5001  |  Low org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2017-3161  |  Medium org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2017-3162  |  High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> It is very likely that the CVEs come from the Hadoop dependency.  We should 
> either update the Hadoop version or temporarily remove Hadoop dependency in 
> order to fix the CVEs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (RATIS-294) Fix ratis-hadoop CVEs

Reply via email to