[ https://issues.apache.org/jira/browse/STORM-3592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla closed STORM-3592. ---------------------------------- Resolution: Invalid Looks like this is outdated as we updated a lot of dependencies since this was reported. Feel free to open a new Jira. > Vulnerable dependencies in your project.(CVEs) > ---------------------------------------------- > > Key: STORM-3592 > URL: https://issues.apache.org/jira/browse/STORM-3592 > Project: Apache Storm > Issue Type: Dependency upgrade > Reporter: XuCongying > Priority: Major > > Hi, > I found some CVEs in the library dependencies, which may affect the security > of your projects. In order to avoid threats, I recommend updating to a safe > version. Here is the detailed information: > > Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.8.5 > CVE ID: > [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), > [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009) > Import Path: external/storm-hdfs/pom.xml, > external/storm-hdfs-blobstore/pom.xml, > external/storm-blobstore-migration/pom.xml > Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1 > Vulnerable Library Version: org.eclipse.jetty : jetty-server : > 9.4.14.v20181114 > CVE ID: > [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247) > Import Path: examples/storm-loadgen/pom.xml, storm-core/pom.xml > Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, > 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, > 9.4.25.v20191220, 9.4.26.v20200117 > Vulnerable Library Version: org.apache.commons : commons-compress : 1.18 > CVE ID: > [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402) > Import Path: storm-server/pom.xml, examples/storm-pmml-examples/pom.xml > Suggested Safe Versions: 1.19, 1.20 > Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.4.14.v20181114 > CVE ID: > [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), > > [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241) > Import Path: storm-core/pom.xml > Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, > 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, > 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, > 9.4.26.v20200117 > Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 0.11.0.3 > CVE ID: > [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196) > Import Path: external/storm-kafka-client/pom.xml, > external/storm-kafka-client/pom.xml > Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0 > Vulnerable Library Version: com.google.guava : guava : 17.0 > CVE ID: > [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237) > Import Path: external/storm-solr/pom.xml, > examples/storm-solr-examples/pom.xml > Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, > 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, > 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, > 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre > Vulnerable Library Version: com.google.guava : guava : 16.0.1 > CVE ID: > [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237) > Import Path: sql/storm-sql-runtime/pom.xml, > sql/storm-sql-external/storm-sql-hdfs/pom.xml...(The rest of the 17 paths is > hidden.) > Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, > 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, > 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, > 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre > Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.3 > CVE ID: > [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320) > Import Path: external/storm-hive/pom.xml > Suggested Safe Versions: 0.12.0, 0.13.0 > Vulnerable Library Version: org.apache.activemq : activemq-client : 5.15.8 > CVE ID: > [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222) > Import Path: examples/storm-jms-examples/pom.xml > Suggested Safe Versions: 5.15.10, 5.15.11, 5.15.9 > Vulnerable Library Version: org.apache.solr : solr-core : 5.5.5 > CVE ID: > [CVE-2017-3164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164), > [CVE-2019-0192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192) > Import Path: external/storm-solr/pom.xml > Suggested Safe Versions: 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, > 8.3.0, 8.3.1, 8.4.0, 8.4.1 > Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.14 > CVE ID: > [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222) > Import Path: examples/storm-mqtt-examples/pom.xml > Suggested Safe Versions: 1.16 > Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.10 > CVE ID: > [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222) > Import Path: external/storm-mqtt/pom.xml > Suggested Safe Versions: 1.16 > Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : > 2.9.8 > CVE ID: > [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), > > [CVE-2019-16335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335), > > [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), > > [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), > > [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), > > [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), > > [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), > > [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), > > [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), > > [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379), > > [CVE-2019-14540](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540), > > [CVE-2019-17267](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267), > > [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942) > Import Path: sql/storm-sql-runtime/pom.xml, external/storm-hbase/pom.xml, > external/storm-elasticsearch/pom.xml, external/storm-kafka-migration/pom.xml, > external/storm-redis/pom.xml, external/storm-opentsdb/pom.xml, > external/storm-kafka-client/pom.xml, storm-webapp/pom.xml > Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3 -- This message was sent by Atlassian Jira (v8.20.10#820010)