Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3754

Upgrade Guava version because of security vulnerability

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • storm-hdfs, storm-hive
    • None

    Description

      storm-hdfs-examples and storm-hive-examples use com.google.guava:guava:16.0.1
      This has know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-10237

      "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attack."

      The guava version downgrade was required earlier because of hadoop-hdfs 2.6.1.
      Since storm is now using hadoop-hdfs 2.8.5, this downgrade may not be necessary.

      It is possible that the a separate jar may need to be added as dependency com.google.guava:failureaccess:1.0. See https://github.com/google/guava/releases around Oct 18, 2018 when Guava version 27.0 was released. Note that Hadoop HDFS 2.8.5 was released on Sep 8, 2018 (i.e. before the guava version 27.0).

      Attachments

        Activity

          People

            Unassigned Unassigned
            bipinprasad Bipin Prasad
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: