Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-16528

Update Cassandra dependencies to fix security vulnerabilities

    XMLWordPrintableJSON

    Details

    • Bug Category:
      Security
    • Severity:
      Low
    • Complexity:
      Low Hanging Fruit
    • Discovered By:
      User Report
    • Platform:
      All
    • Impacts:
      None

      Description

      There are a couple of security vulnerabilities that show up in libraries that cassandra pulls in.

      1. apache commons-collections v 3.2.1
      2. apache commons-beanutils v 1.7.0

      For number one, there is a well-known security vulnerability in apache commons-collection 3.2.1 (see https://www.kb.cert.org/vuls/id/576313 and https://issues.apache.org/jira/browse/COLLECTIONS-580). This is fixed/mitigated in commons-collections 3.2.2.

      All current versions of cassandra (including 4.0beta4) pull in commons-collections 3.2.1 via apache-rat 0.10. Is it possible to upgrade apache-rat to version 0.12 in order to pull in the latest version of commons-collections? See https://github.com/apache/creadur-rat/commit/2380409fbcd02b418eceacfdc1e486bdbbca9632.

      I made the below change in 3.0.24 src and recompiled without errors.

      // code placeholder
      diff --git a/cassandra/cassandra-3.0-src/build.xml b/cassandra/cassandra-3.0-src/build.xml
      index 73c9889d81..ed236443d4 100644
      --- a/cassandra/cassandra-3.0-src/build.xml
      +++ b/cassandra/cassandra-3.0-src/build.xml
      @@ -402,3 +402,3 @@
                 <dependency groupId="org.reflections" artifactId="reflections" version="0.9.12" />
      -          <dependency groupId="org.apache.rat" artifactId="apache-rat" version="0.10">
      +          <dependency groupId="org.apache.rat" artifactId="apache-rat" version="0.12">
                    <exclusion groupId="commons-lang" artifactId="commons-lang"/>
      @@ -1605,3 +1605,3 @@
           <artifact:dependencies pathId="rat.classpath">
      -      <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" version="0.6" />
      +      <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" version="0.12" />
             <remoteRepository refid="central"/>
      

       

      For number two, I was able to discern that beanutils is coming from hadoop-core which is version 1.0.3.  I believe this also is quite out of date and could be upgraded. 

      Could someone take a look and see if these version upgrades are possible?

      {{}}

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lhx LHX
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: