Details
-
Bug
-
Status: Resolved
-
Low
-
Resolution: Not A Problem
-
None
-
Security
-
Low
-
Low Hanging Fruit
-
User Report
-
All
-
None
Description
There are a couple of security vulnerabilities that show up in libraries that cassandra pulls in.
- apache commons-collections v 3.2.1
- apache commons-beanutils v 1.7.0
For number one, there is a well-known security vulnerability in apache commons-collection 3.2.1 (see https://www.kb.cert.org/vuls/id/576313 and https://issues.apache.org/jira/browse/COLLECTIONS-580). This is fixed/mitigated in commons-collections 3.2.2.
All current versions of cassandra (including 4.0beta4) pull in commons-collections 3.2.1 via apache-rat 0.10. Is it possible to upgrade apache-rat to version 0.12 in order to pull in the latest version of commons-collections? See https://github.com/apache/creadur-rat/commit/2380409fbcd02b418eceacfdc1e486bdbbca9632.
I made the below change in 3.0.24 src and recompiled without errors.
// code placeholder diff --git a/cassandra/cassandra-3.0-src/build.xml b/cassandra/cassandra-3.0-src/build.xml index 73c9889d81..ed236443d4 100644 --- a/cassandra/cassandra-3.0-src/build.xml +++ b/cassandra/cassandra-3.0-src/build.xml @@ -402,3 +402,3 @@ <dependency groupId="org.reflections" artifactId="reflections" version="0.9.12" /> - <dependency groupId="org.apache.rat" artifactId="apache-rat" version="0.10"> + <dependency groupId="org.apache.rat" artifactId="apache-rat" version="0.12"> <exclusion groupId="commons-lang" artifactId="commons-lang"/> @@ -1605,3 +1605,3 @@ <artifact:dependencies pathId="rat.classpath"> - <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" version="0.6" /> + <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" version="0.12" /> <remoteRepository refid="central"/>
For number two, I was able to discern that beanutils is coming from hadoop-core which is version 1.0.3. I believe this also is quite out of date and could be upgraded.
Could someone take a look and see if these version upgrades are possible?
{{}}