Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-22863

Avoid Jackson versions and dependencies with known CVEs

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.3.0
    • Fix Version/s: 3.0.0, 2.3.0, 2.2.1, 2.1.6
    • Component/s: dependencies
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      1. Stopped exposing vulnerable Jackson1 dependencies so that downstreamers would not pull it in from HBase.
      2. However, since Hadoop requires some Jackson1 dependencies, put vulnerable Jackson mapper at test scope in some HBase modules and hence, HBase tarball created by hbase-assembly contains Jackson1 mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase.
      Show
      1. Stopped exposing vulnerable Jackson1 dependencies so that downstreamers would not pull it in from HBase. 2. However, since Hadoop requires some Jackson1 dependencies, put vulnerable Jackson mapper at test scope in some HBase modules and hence, HBase tarball created by hbase-assembly contains Jackson1 mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase.

      Description

      Partly forwardport from branch-1 Jira: HBASE-22728

      Even though master and branch-2 have moved away from Jackson1 some time back, HBase is still pulling in some vulnerable jackson dependencies (e.g. jackson-mapper-asl:1.9.13) from Hadoop:

       

      [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce ---
      [INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
      [INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
      [INFO] |  \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
      [INFO] |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
      [INFO] +- org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
      [INFO] |  \- org.apache.avro:avro:jar:1.7.7:compile
      [INFO] |     \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
      [INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
      [INFO]    \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
      [INFO]       +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
      [INFO]       \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile
      [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-shaded-testing-util ---
      [INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
      [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
      [INFO]    +- com.sun.jersey:jersey-json:jar:1.9:compile
      [INFO]    |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
      [INFO]    |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
      [INFO]    +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
      [INFO]    \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
      [INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
      [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
      [INFO]    \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
      [INFO]       +- com.sun.jersey:jersey-json:jar:1.9:test
      [INFO]       |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
      [INFO]       |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
      [INFO]       +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
      [INFO]       \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
      

      Jackson1 is not being used in HBase code anymore and hence, we should include it only at test scope if required by Hadoop but definitely exclude it from corresponding Hadoop dependencies.

       

        Attachments

        1. HBASE-22863.master.000.patch
          30 kB
          Viraj Jasani
        2. HBASE-22863.master.001.patch
          14 kB
          Viraj Jasani
        3. HBASE-22863.branch-2.000.patch
          14 kB
          Viraj Jasani

          Issue Links

            Activity

              People

              • Assignee:
                vjasani Viraj Jasani
                Reporter:
                vjasani Viraj Jasani
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: