[CASSANDRA-16734] Remediate Cassandra 3.11.10 JAR dependency vulnerabilities - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Invalid
Fix Version/s: 3.11.11
Component/s: Dependencies
Labels:
None

Platform:

All
Impacts:

None

Description

Several JAR dependencies are flagged in Cassandra 3.11.10 as having vulnerabilities that have been fixed in newer releases.
The following is the Cassandra 3.11.10 source tree for their JAR dependencies: https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib

A possible fix strategy is to simply update the JARs to their newest version. See the JAR files available for each vulnerable library:

Attachments

Attachments

Issue Links

Add Link

duplicates

CASSANDRA-16463 high and critical CVEs io.netty to 4.1.42.Final to fix critical and high vulnerabilities

Resolved

Delete this link

CASSANDRA-16462 Upgrade to Jackson Databind 2.9.10.8 or later fix high vulnerabilities

Resolved

Delete this link

is cloned by

CASSANDRA-16741 Remediate Cassandra 3.11.10 JAR dependency vulnerability - com.google.guava_guava

Resolved

Delete this link

CASSANDRA-16738 Remediate Cassandra 3.11.10 JAR dependency vulnerability - org.yaml_snakeyaml

Triage Needed

Delete this link

CASSANDRA-16739 Remediate Cassandra 3.11.10 JAR dependency vulnerability - org.apache.thrift_libthrift

Triage Needed

Delete this link

CASSANDRA-16740 Remediate Cassandra 3.11.10 JAR dependency vulnerability - ch.qos.logback_logback-core

Triage Needed

Delete this link

CASSANDRA-16742 Remediate Cassandra 3.11.10 JAR dependency vulnerability - commons-codec_commons-codec

Triage Needed

Delete this link

CASSANDRA-16743 Remediate Cassandra 3.11.10 JAR dependency vulnerability - com.thinkaurelius.thrift_thrift-server

Triage Needed

Delete this link

(3 is cloned by)

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Unassigned Assign to me

Reporter:: Daniel Gomez

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Jun/21 17:00

Updated:: 01/Aug/21 11:07

Resolved:: 11/Jun/21 18:51

Agile

Slack

Issue deployment