search

IBMStreams / streamsx.hdfs

This toolkit provides operators and functions for interacting with Hadoop File System.
http://ibmstreams.github.io/streamsx.hdfs/
Apache License 2.0
9 stars 20 forks source link

Vulnerability found in org.codehaus.jackson:jackson-mapper-asl #120

Open schubon opened 4 years ago

schubon commented 4 years ago

Details

CVE-2019-10172

moderate severity Vulnerable versions: <= 1.9.13 Patched version: No fix

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Remediation

No patched version is available.

anouri commented 4 years ago

The latest version of jackson-core-asl and ackson-mapper-asl libraries are 1.9.13 and they are from 2013. There has been no further releases since then.

Hadoop and HBase uses these libraries also in the newest released version 3.1 from Nov. 2019.

/usr/hdp/3.1.0.0-78/hbase/lib/jackson-core-asl-1.9.13.jar /usr/hdp/3.1.0.0-78/hbase/lib/jackson-mapper-asl-1.9.13.jar /usr/hdp/3.1.0.0-78/hadoop/lib/jackson-core-asl-1.9.13.jar /usr/hdp/3.1.0.0-78/hadoop/lib/jackson-mapper-asl-1.9.13.jar

anouri commented 4 years ago

Correction delivered in version streamsx.hdfs 5.2.0 https://github.com/IBMStreams/streamsx.hdfs/releases/tag/v5.2.0

xuzikun2003 commented 3 years ago

Why is this issue closed? It looks like we don't have a fix for this vulnerability yet.

schubon commented 3 years ago

I have to agree @xuzikun2003, as there are no new versions of the libraries showing the vulnerability, it cannot be corrected.