[jira] [Updated] (STORM-3754) Upgrade Guava version because of security vulnerability

[Bipin Prasad (Jira)]

     [ 
https://issues.apache.org/jira/browse/STORM-3754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bipin Prasad updated STORM-3754:
--------------------------------
    Description: 
storm-hdfs-examples and storm-hive-examples use com.google.guava:guava:16.0.1
This has know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-10237

"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
allows remote attackers to conduct denial of service attack."

The guava version downgrade was required earlier because of hadoop-hdfs 2.6.1.
Since storm is now using hadoop-hdfs 2.8.5, this downgrade may not be necessary.

It is possible that the a separate jar may need to be added as dependency 
com.google.guava:failureaccess:1.0. See 
https://github.com/google/guava/releases around Oct 18, 2018 when Guava version 
27.0 was released. Note that Hadoop HDFS 2.8.5 was released on Sep 8, 2018 
(i.e. before the guava version 27.0).

  was:
storm-hdfs-examples and storm-hive-examples use com.google.guava:guava:16.0.1
This has know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-10237

"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
allows remote attackers to conduct denial of service attack."

The guava version downgrade was required earlier because of hadoop-hdfs 2.6.1.
Since storm is now using hadoop-hdfs 2.8.5, this downgrade may not be necessary.


> Upgrade Guava version because of security vulnerability
> -------------------------------------------------------
>
>                 Key: STORM-3754
>                 URL: https://issues.apache.org/jira/browse/STORM-3754
>             Project: Apache Storm
>          Issue Type: Improvement
>          Components: storm-hdfs, storm-hive
>            Reporter: Bipin Prasad
>            Priority: Minor
>
> storm-hdfs-examples and storm-hive-examples use com.google.guava:guava:16.0.1
> This has know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-10237
> "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
> allows remote attackers to conduct denial of service attack."
> The guava version downgrade was required earlier because of hadoop-hdfs 2.6.1.
> Since storm is now using hadoop-hdfs 2.8.5, this downgrade may not be 
> necessary.
> It is possible that the a separate jar may need to be added as dependency 
> com.google.guava:failureaccess:1.0. See 
> https://github.com/google/guava/releases around Oct 18, 2018 when Guava 
> version 27.0 was released. Note that Hadoop HDFS 2.8.5 was released on Sep 8, 
> 2018 (i.e. before the guava version 27.0).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)