Vulnerabilities in parquet-jackson used by Jet

hazelcast / hazelcast-jet

Distributed Stream and Batch Processing

https://jet-start.sh

Other

1.1k stars 205 forks source link

Vulnerabilities in parquet-jackson used by Jet #3130

Open olukas opened 1 year ago

olukas commented 1 year ago

Jet uses parquet-jackson in version 1.12.3 which shades com.fasterxml.jackson.core:jackson-databind:2.13.2.2 which includes following vulnerabilities:

CVE-2022-42003 - https://nvd.nist.gov/vuln/detail/CVE-2022-42003
CVE-2022-42004 - https://nvd.nist.gov/vuln/detail/CVE-2022-42004

It's the same as https://github.com/hazelcast/hazelcast/issues/22407#issuecomment-1268404278

TomaszGaweda commented 1 year ago

Fix is not possible for 4.5.4 - there is no version of parquet-java that fixes the vunerability. Previous versions are shading even more vunerable version of databind.