Remove avro, hadoop-auth and jersey-json dependencies from hadoop-common to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685#3911
Merged
hezhangjian merged 3 commits intoapache:masterfrom Apr 17, 2023
Conversation
hangc0276
requested review from
StevenLuMT,
dlg99,
eolivelli,
hezhangjian and
zymap
hangc0276
changed the title
zymap
approved these changes
Apr 17, 2023
hezhangjian
approved these changes
Apr 17, 2023
zymap
pushed a commit
that referenced
this pull request
Jun 19, 2023
…mon to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 (#3911) ### Motivation #### [CVE-2019-10202](https://www.cve.org/CVERecord?id=CVE-2019-10202) After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists. Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.avro:avro@1.7.7 › org.codehaus.jackson:jackson-mapper-asl@1.9.13 #### [CVE-2023-1370](https://www.cve.org/CVERecord?id=CVE-2023-1370) Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.hadoop:hadoop-auth@3.3.5 › net.minidev:json-smart@2.4.7 Fix: No remediation path available. #### [CVE-2022-45685](https://www.cve.org/CVERecord?id=CVE-2022-45685) Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › com.github.pjfanning:jersey-json@1.20 › org.codehaus.jettison:jettison@1.1 Fix: No remediation path available. After checking the code of package `org.apache.distributedlog.fs`, those classes only use `org.apache.hadoop.conf`, `org.apache.hadoop.fs` and `org.apache.hadoop.util` packages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue. https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs ### Changes Exclude the Avro dependency from `hadoop-common` (cherry picked from commit 94e15b3)
hangc0276
added a commit
to hangc0276/bookkeeper
that referenced
this pull request
Jun 26, 2023
…mon to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 (apache#3911) After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists. Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.avro:avro@1.7.7 › org.codehaus.jackson:jackson-mapper-asl@1.9.13 Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.hadoop:hadoop-auth@3.3.5 › net.minidev:json-smart@2.4.7 Fix: No remediation path available. Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › com.github.pjfanning:jersey-json@1.20 › org.codehaus.jettison:jettison@1.1 Fix: No remediation path available. After checking the code of package `org.apache.distributedlog.fs`, those classes only use `org.apache.hadoop.conf`, `org.apache.hadoop.fs` and `org.apache.hadoop.util` packages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue. https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs Exclude the Avro dependency from `hadoop-common` (cherry picked from commit 94e15b3)
zymap
pushed a commit
that referenced
this pull request
Dec 6, 2023
…mon to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 (#3911) ### Motivation #### [CVE-2019-10202](https://www.cve.org/CVERecord?id=CVE-2019-10202) After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists. Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.avro:avro@1.7.7 › org.codehaus.jackson:jackson-mapper-asl@1.9.13 #### [CVE-2023-1370](https://www.cve.org/CVERecord?id=CVE-2023-1370) Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.hadoop:hadoop-auth@3.3.5 › net.minidev:json-smart@2.4.7 Fix: No remediation path available. #### [CVE-2022-45685](https://www.cve.org/CVERecord?id=CVE-2022-45685) Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › com.github.pjfanning:jersey-json@1.20 › org.codehaus.jettison:jettison@1.1 Fix: No remediation path available. After checking the code of package `org.apache.distributedlog.fs`, those classes only use `org.apache.hadoop.conf`, `org.apache.hadoop.fs` and `org.apache.hadoop.util` packages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue. https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs ### Changes Exclude the Avro dependency from `hadoop-common` (cherry picked from commit 94e15b3)
Ghatage
pushed a commit
to sijie/bookkeeper
that referenced
this pull request
Jul 12, 2024
…mon to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 (apache#3911) ### Motivation #### [CVE-2019-10202](https://www.cve.org/CVERecord?id=CVE-2019-10202) After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists. Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.avro:avro@1.7.7 › org.codehaus.jackson:jackson-mapper-asl@1.9.13 #### [CVE-2023-1370](https://www.cve.org/CVERecord?id=CVE-2023-1370) Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.hadoop:hadoop-auth@3.3.5 › net.minidev:json-smart@2.4.7 Fix: No remediation path available. #### [CVE-2022-45685](https://www.cve.org/CVERecord?id=CVE-2022-45685) Detailed paths Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › com.github.pjfanning:jersey-json@1.20 › org.codehaus.jettison:jettison@1.1 Fix: No remediation path available. After checking the code of package `org.apache.distributedlog.fs`, those classes only use `org.apache.hadoop.conf`, `org.apache.hadoop.fs` and `org.apache.hadoop.util` packages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue. https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs ### Changes Exclude the Avro dependency from `hadoop-common`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
CVE-2019-10202
After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists.
Detailed paths
Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.avro:avro@1.7.7 › org.codehaus.jackson:jackson-mapper-asl@1.9.13
CVE-2023-1370
Detailed paths
Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › org.apache.hadoop:hadoop-auth@3.3.5 › net.minidev:json-smart@2.4.7
Fix: No remediation path available.
CVE-2022-45685
Detailed paths
Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.5 › com.github.pjfanning:jersey-json@1.20 › org.codehaus.jettison:jettison@1.1
Fix: No remediation path available.
After checking the code of package
org.apache.distributedlog.fs, those classes only useorg.apache.hadoop.conf,org.apache.hadoop.fsandorg.apache.hadoop.utilpackages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue.https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs
Changes
Exclude the Avro dependency from
hadoop-common