Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities in parquet-jackson used by Jet #3130

Open
olukas opened this issue Dec 6, 2022 · 1 comment
Open

Vulnerabilities in parquet-jackson used by Jet #3130

olukas opened this issue Dec 6, 2022 · 1 comment
Labels
security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues
Milestone
4.5.5

Comments

@olukas
Copy link
Collaborator

olukas commented Dec 6, 2022

Jet uses parquet-jackson in version 1.12.3 which shades com.fasterxml.jackson.core:jackson-databind:2.13.2.2 which includes following vulnerabilities:

It's the same as hazelcast/hazelcast#22407 (comment)
@olukas olukas added security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues labels Dec 6, 2022
@olukas olukas added this to the 4.5.4 milestone Dec 6, 2022
@TomaszGaweda
Copy link
Contributor

Fix is not possible for 4.5.4 - there is no version of parquet-java that fixes the vunerability. Previous versions are shading even more vunerable version of databind.

@TomaszGaweda TomaszGaweda modified the milestones: 4.5.4, 4.5.5 Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues
Projects
None yet
Milestone
4.5.5
Development

No branches or pull requests
2 participants
@olukas @TomaszGaweda