[CASSANDRA-16734] Remediate Cassandra 3.11.10 JAR dependency vulnerabilities - ASF JIRA

XML

Word

Printable

JSON

Several JAR dependencies are flagged in Cassandra 3.11.10 as having vulnerabilities that have been fixed in newer releases.
The following is the Cassandra 3.11.10 source tree for their JAR dependencies: https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib

A possible fix strategy is to simply update the JARs to their newest version. See the JAR files available for each vulnerable library:

duplicates

CASSANDRA-16463 high and critical CVEs io.netty to 4.1.42.Final to fix critical and high vulnerabilities

CASSANDRA-16462 Upgrade to Jackson Databind 2.9.10.8 or later fix high vulnerabilities

is cloned by

CASSANDRA-16741 Remediate Cassandra 3.11.10 JAR dependency vulnerability - com.google.guava_guava

CASSANDRA-16738 Remediate Cassandra 3.11.10 JAR dependency vulnerability - org.yaml_snakeyaml

CASSANDRA-16739 Remediate Cassandra 3.11.10 JAR dependency vulnerability - org.apache.thrift_libthrift

CASSANDRA-16740 Remediate Cassandra 3.11.10 JAR dependency vulnerability - ch.qos.logback_logback-core

CASSANDRA-16742 Remediate Cassandra 3.11.10 JAR dependency vulnerability - commons-codec_commons-codec

CASSANDRA-16743 Remediate Cassandra 3.11.10 JAR dependency vulnerability - com.thinkaurelius.thrift_thrift-server

(3 is cloned by)