[HADOOP-17171] Please fix CVEs by removing reference to htrace-core4 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 3.3.0
Fix Version/s: None
Component/s: common
Labels:
None

Description

htrace-core4 is a retired project and even on the latest version they Shade Jackson databind version 2.4.0 which has the following CVEs:

cve	severity	cvss
CVE-2017-15095	critical	9.8
CVE-2018-1000873	medium	6.5
CVE-2018-14718	critical	9.8
CVE-2018-5968	high	8.1
CVE-2018-7489	critical	9.8
CVE-2019-14540	critical	9.8
CVE-2019-14893	critical	9.8
CVE-2019-16335	critical	9.8
CVE-2019-16942	critical	9.8
CVE-2019-16943	critical	9.8
CVE-2019-17267	critical	9.8
CVE-2019-17531	critical	9.8
CVE-2019-20330	critical	9.8
CVE-2020-10672	high	8.8
CVE-2020-10673	high	8.8
CVE-2020-10968	high	8.8
CVE-2020-10969	high	8.8
CVE-2020-11111	high	8.8
CVE-2020-11112	high	8.8
CVE-2020-11113	high	8.8
CVE-2020-11619	critical	9.8
CVE-2020-11620	critical	9.8
CVE-2020-14060	high	8.1
CVE-2020-14061	high	8.1
CVE-2020-14062	high	8.1
CVE-2020-14195	high	8.1
CVE-2020-8840	critical	9.8
CVE-2020-9546	critical	9.8
CVE-2020-9547	critical	9.8
CVE-2020-9548	critical	9.8

Our security team is trying to block us from using hadoop because of this

Attachments

Issue Links

duplicates

HADOOP-15566 Support OpenTelemetry

Patch Available

Is contained by

HADOOP-17424 Replace HTrace with No-Op tracer

Resolved

is related to

HDFS-15333 Vulnerability fixes need for jackson-databinding HDFS dependency library

Open

Activity

People

Assignee:: Unassigned

Reporter:: Rodney Aaron Stainback

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 30/Jul/20 18:54

Updated:: 27/May/21 00:34

Resolved:: 06/Aug/20 10:31