Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-18067 Über-jira: S3A Hadoop 3.3.5 features
  3. HADOOP-18344

AWS SDK update to 1.12.262 to address jackson CVE-2018-7489 and AWS CVE-2022-31159

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Reviewed
    • The AWS SDK has been updated to 1.12.262 to address jackson CVE-2018-7489

    Description

      The CVE CVE-2022-31159 is a vulnerability in path resolution in the AWS SDK transfer manager during downloads.

      the s3a client is not exposed to this. it uses the class for local file upload and for object copying, but not download.

      it may affect downstream use by other applications.

      yet another jackson CVE in aws sdk
      https://github.com/apache/hadoop/pull/4491/commits/5496816b472473eb7a9c174b7d3e69b6eee1e271

      maybe we need to have a list of all shaded jackson's we get on the CP and have a process of upgrading them all at the same time

      Attachments

        Issue Links

        is depended upon by

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-18393 Hadoop 3.3.2 has CVEs coming from dependencies

        • Major - Major loss of function.
        • Resolved
        is duplicated by

        Wish - General wishlist item. HADOOP-18350 Support for hadoop-aws with aws-java-sdk-bundle with version greater than 1.12.220

        • Major - Major loss of function.
        • Resolved
        is related to

        Improvement - An improvement or enhancement to an existing feature or task. SPARK-39969 Spark AWS SDK and kinesis dependencies lagging hadoop-aws and s3a

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Open
        relates to

        Sub-task - The sub-task of the issue HADOOP-18372 ILoadTestS3ABulkDeleteThrottling failing

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved
        links to

        Web Link GitHub Pull Request #4637

        Web Link GitHub Pull Request #4645

        Web Link GitHub Pull Request #4646

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            stevel@apache.org Steve Loughran
            stevel@apache.org Steve Loughran
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4.5h
                4.5h

                Slack

                  Issue deployment