Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3918

Bump snakeyaml from 1.32 to 2.0

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.4.0
    • 2.5.0
    • storm-core
    • None

    Description

      Current snakeyaml version is vulnerable to CVE-2022-1471 which is rated 9.8 CRITICAL by NIST.

      Trivial fix is to update to snakeyaml 2.0.

      I tried to manually replace existing snakeyaml JAR with 2.0 version (but keeping the same JAR file name to avoid issue with potentially hard coded CLASSPATH), and then I restarted all Storm related processes (Nimbus, logview, Supervisor, Nimbus UI...) and deployed some topologies => everything worked fine

      So it looks like a trivial task

       

      Attachments

        Issue Links

          is a clone of

          Documentation - Documentation or Website STORM-3894 Bump snakeyaml from 1.32 to 2.0

          • Major - Major loss of function.
          • Closed

          Activity

            People

              avermeerbergen Alexandre Vermeerbergen
              avermeerbergen Alexandre Vermeerbergen
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: