Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-15333

Vulnerability fixes need for jackson-databinding HDFS dependency library

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 3.2.1
    • None
    • security
    • None

    Description

      HDFS has couple of dependency which is having jackson library  with vulnerability. 

      Below are list of library used by HDFS which is having vulnerability:

      • htrace-core4-4.1.0-incubating.jar:jackson-databind
      • htrace-core-3.1.0-incubating.jar:jackson-databind
      • aws-java-sdk-bundle-1.11.375.jar:jackson-databind
      • hadoop-client-runtime-3.2.1.jar:jackson-databind
      • jackson-databind-2.9.8.jar
      • hadoop-client-runtime-3.2.1.jar:jackson-databind

       

      For example:  "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM URL: https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.

       

      Jackson version < 2.9.1 has below list of vulnerabilities:

      CVE-2019-14379

      CVE-2019-16335

      CVE-2019-17531

      CVE-2019-14540

      CVE-2018-11307

      CVE-2019-12402

      CVE-2018-7489

      CVE-2018-12022

      CVE-2019-14439

      CVE-2017-15095

      CVE-2017-7525

      CVE-2017-17485

       

      Attaching image scan result file.

       

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-17171 Please fix CVEs by removing reference to htrace-core4

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              hridesh.kumar Hridesh
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: