Potential security vulnerabilities found in third-party libraries

[markheger]

jackson-mapper-asl-1.9.13.jar

Severity: High CVE-2019-10202 Resolution: Upgrade to version JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-d atabind:2.9.9 --> (most probably not possible due to change of major version) or only when no longer required by newer hadoop version

netty-all-4.1.42.Final.jar

Severity: High CVE-2020-11612 Resolution: Upgrade to version io.netty:netty-all:4.1.46.Final --> change dependency to 4.1.52.Final

hadoop-common-3.1.0.jar

Severity: Medium CVE-2018-8009 Resolution: Upgrade to version 3.1.1 --> change dependency to newer hadoop version 3.x

guava-13.0.1.jar

Severity: Medium CVE-2018-10237 Resolution: Upgrade to version 24.1.1-jre --> (most probably not possible due to change of major version)

[anouri]

The maven pom.xml file upgraded to use the following third-party JAR libraries.

commons-codec-1.14.jar            -->   commons-codec-1.15.jar
guava-13.0.1.jar                  -->   guava-20.0.jar
hadoop-annotations-3.1.0.jar      -->   hadoop-annotations-3.3.0.jar
hadoop-auth-3.1.0.jar             -->   hadoop-auth-3.3.0.jar
hadoop-common-3.1.0.jar           -->   hadoop-common-3.3.0.jar
netty-all-4.1.42.Final.jar        -->   netty-all-4.1.52.Final.jar
servlet-api-2.5.jar               -->   javax.servlet-api-4.0.1.jar

The jackson-mapper-asl-1.9.13.jar has been deleted from the list.

[anouri]

The streamsx.hbase vulnerability issue (#133) corrected in version 3.9.0 https://github.com/IBMStreams/streamsx.hbase/releases/tag/v3.9.0