Details
-
Task
-
Status: Resolved
-
Major
-
Resolution: Done
-
2.0.0
-
None
Description
It's a continuation of the investigation made in HDDS-10589
hdds-hadoop-dependency-(client|server) modules depend on hadoop-common, the latter depends on com.nimbusds:nimbus-jose-jwt:9.8.1 (through org.apache.hadoop:hadoop-auth).
The 9.8.1th version of the com.nimbusds:nimbus-jose-jwt library contains a shaded version of the net.minidev:json-smart:1.3.2 (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/815b98228df7be7b918ae368ea003a034768f769/pom.xml#lines-59) that has a CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-31684.
The nearest version of the nimbus-jose-jwt that doesn't have the CVE is 9.24 - there the json-smart library was replaced with com.google.code.gson:gson.
Hence, we need to exclude nimbus-jose-jwt dependency from the hadoop-common transitive dependencies list in hdds-hadoop-dependency-(client|server) modules and include it directly with the certain version (9.24)
Attachments
Attachments
Issue Links
- is related to
-
HADOOP-19115 upgrade to nimbus-jose-jwt 9.37.2 due to CVE
- Resolved
-
HADOOP-18711 upgrade nimbus jwt jar due to issues in its embedded shaded json-smart code
- Resolved
- links to