Details
-
Improvement
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
3.2.1
-
None
-
None
-
Description
HDFS has couple of dependency which is having jackson library with vulnerability.
Below are list of library used by HDFS which is having vulnerability:
- htrace-core4-4.1.0-incubating.jar:jackson-databind
- htrace-core-3.1.0-incubating.jar:jackson-databind
- aws-java-sdk-bundle-1.11.375.jar:jackson-databind
- hadoop-client-runtime-3.2.1.jar:jackson-databind
- jackson-databind-2.9.8.jar
- hadoop-client-runtime-3.2.1.jar:jackson-databind
For example: "htrace-core4-4.1.0-incubating" build with jackson 2.4.0. POM URL: https://github.com/apache/incubator-retired-htrace/blob/e12b5fcfaafa56d676fee5f873da01df6b61dac9/pom.xml.
Jackson version < 2.9.1 has below list of vulnerabilities:
CVE-2019-14379
CVE-2019-16335
CVE-2019-17531
CVE-2019-14540
CVE-2018-11307
CVE-2019-12402
CVE-2018-7489
CVE-2018-12022
CVE-2019-14439
CVE-2017-15095
CVE-2017-7525
CVE-2017-17485
Attaching image scan result file.
Attachments
Attachments
Issue Links
- relates to
-
HADOOP-17171 Please fix CVEs by removing reference to htrace-core4
- Resolved