[YARN-11199] Replace htrace-core with hbase-noop-htrace for CVE-2018-7489, CVE-2020-35491, CVE-2020-35490, and CVE-2020-36518 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.4.0, 3.3.5, 3.3.4
Fix Version/s: None
Component/s: timelineservice
Labels:
- pull-request-available
Environment:

The build was performed using the Hadoop development environment.

Description

Distributions of Hadoop still contain htrace, which is a critical CVE-2018-7489 concerning FasterXML jackson-databind. This can be addressed by replacing `htrace-core` with `hbase-noop-htrace` in Hadoop builds. I'll extract this from HADOOP-18311.

Downloading the published 3.3.3 distribution we can find htrace-core:

% tar -tzf ~/Downloads/hadoop-3.3.3.tar.gz | grep htrace
hadoop-3.3.3/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar

It also appears in builds of trunk

% mvn -nsu clean install -Pdist,native -Drequire.snappy -Drequire.zstd -Drequire.openssl -Drequire.isal -DskipTests -Dtar -Dmaven.javadoc.skip=true
[...]
% tar -tzf hadoop-dist/target/hadoop-3.4.0-SNAPSHOT.tar.gz | grep htrace
hadoop-3.4.0-SNAPSHOT/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar

Attachments

Issue Links

is a child of

HADOOP-18311 Upgrade dependencies to address several CVEs

Open

links to

GitHub Pull Request #4506

Activity

People

Assignee:: Unassigned

Reporter:: Steve Vaughan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Jun/22 18:14

Updated:: 28/Jun/22 15:18

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h