Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security vulnerabilities found in third-party libraries #133

Closed
markheger opened this issue Sep 11, 2020 · 2 comments
Closed

Potential security vulnerabilities found in third-party libraries #133

markheger opened this issue Sep 11, 2020 · 2 comments
Labels
third-party-lib

Comments

@markheger
Copy link
Member

jackson-mapper-asl-1.9.13.jar

Severity: High
CVE-2019-10202
Resolution: Upgrade to version JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-d atabind:2.9.9
--> (most probably not possible due to change of major version) or only when no longer required by newer hadoop version

netty-all-4.1.42.Final.jar

Severity: High
CVE-2020-11612
Resolution: Upgrade to version io.netty:netty-all:4.1.46.Final
--> change dependency to 4.1.52.Final

hadoop-common-3.1.0.jar

Severity: Medium
CVE-2018-8009
Resolution: Upgrade to version 3.1.1
--> change dependency to newer hadoop version 3.x

guava-13.0.1.jar

Severity: Medium
CVE-2018-10237
Resolution: Upgrade to version 24.1.1-jre
--> (most probably not possible due to change of major version)
anouri pushed a commit that referenced this issue Sep 22, 2020
Vulnerability issue #133
4ead886
anouri pushed a commit that referenced this issue Sep 23, 2020
pom.xml and info.xml upgraded #133
5576583
@anouri
Copy link
Member

anouri commented Sep 23, 2020
edited
Loading

The maven pom.xml file upgraded to use the following third-party JAR libraries.

commons-codec-1.14.jar            -->   commons-codec-1.15.jar
guava-13.0.1.jar                  -->   guava-20.0.jar
hadoop-annotations-3.1.0.jar      -->   hadoop-annotations-3.3.0.jar
hadoop-auth-3.1.0.jar             -->   hadoop-auth-3.3.0.jar
hadoop-common-3.1.0.jar           -->   hadoop-common-3.3.0.jar
netty-all-4.1.42.Final.jar        -->   netty-all-4.1.52.Final.jar
servlet-api-2.5.jar               -->   javax.servlet-api-4.0.1.jar

The jackson-mapper-asl-1.9.13.jar has been deleted from the list.

anouri pushed a commit that referenced this issue Sep 24, 2020
classpath upgraded #133
b76f7bc
@anouri anouri mentioned this issue Sep 24, 2020
Merged
anouri added a commit that referenced this issue Sep 24, 2020
@anouri
Merge pull request #135 from IBMStreams/hadoop-3.3
d2d6f7d 
streamsx.hbase 
Merge hadoop-3.3 branch to develop #133
@anouri
Copy link
Member

anouri commented Sep 25, 2020

The streamsx.hbase vulnerability issue (#133) corrected in version 3.9.0
https://github.com/IBMStreams/streamsx.hbase/releases/tag/v3.9.0

@anouri anouri closed this as completed Sep 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
third-party-lib
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anouri @markheger