Vulnerabilities in htrace-core4 used by Jet master

hazelcast / hazelcast-jet

Distributed Stream and Batch Processing

https://jet-start.sh

Other

1.1k stars 204 forks source link

Vulnerabilities in htrace-core4 used by Jet master #2980

Open olukas opened 3 years ago

olukas commented 3 years ago

Jet uses Hadoop which uses htrace:htrace-core4 in version 4.1.0-incubating which has shaded com.fasterxml.jackson.core:jackson-databind:2.4.0 which includes following vulnerabilities:

CVE-2020-35491 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in 2.9.10.8)
CVE-2020-35490 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in 2.9.10.8)
CVE-2018-14718 - https://nvd.nist.gov/vuln/detail/CVE-2018-14718 (fixed in 2.9.7)
CVE-2018-7489 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in before 2.7.9.3, 2.8.11.1, 2.9.5)

gierlachg commented 3 years ago

We already use the latest, as of today, version of Hadoop libraries (3.3.0).

gurbuzali commented 3 years ago

there is no new version of htrace:htrace-core4 which shades a fixed version of Jackson libraries.

olukas commented 3 years ago

NOTE: For Jet 4.5 for some reason OWASP evaluated this vulnerability as dependency:

hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)
hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)

but it seems to be the same dependency just reported in the different way.

palaashatri commented 1 year ago

So, any updates on this yet?