Potential security vulnerabilities found in third-party libraries
markheger opened this issue · 2 comments
commons-httpclient-3.1.jar
Severity: Medium
CVE-2012-5783
jackson-mapper-asl-1.9.13.jar
Severity: High
CVE-2019-10202
Resolution: Upgrade to version JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-d atabind:2.9.9
--> (most probably not possible due to change of major version) or only when no longer required by newer hadoop version
guava-13.0.1.jar
Severity: Medium
CVE-2018-10237
Resolution: Upgrade to version 24.1.1-jre
--> (most probably not possible due to change of major version)
hadoop-common-3.1.0.jar
Severity: Medium
CVE-2018-8009
Resolution: Upgrade to version 3.1.1
--> change dependency to newer hadoop version 3.x
hadoop-hdfs-3.1.0.jar
Severity: Medium
Resolution: Upgrade to version org.apache.hadoop:hadoop-hdfs:3.1.2
Following libraries must be updated to use hadoop 3.3 client instate of hadoop 3.1:
List of third-party libraries for streamsx.hdfs toolkit
streamsx.hdfs version 5.2.3 streamsx.hdfs version 5.3.0
commons-cli-1.4.jar commons-cli-1.4.jar
commons-codec-1.14.jar commons-codec-1.15.jar
commons-collections-3.2.2.jar commons-collections-3.2.2.jar
commons-compress-1.20.jar
commons-configuration2-2.7.jar commons-configuration2-2.7.jar
commons-httpclient-3.1.jar
commons-io-2.6.jar commons-io-2.6.jar
commons-lang-2.6.jar commons-lang-2.6.jar
commons-lang3-3.9.jar commons-lang3-3.9.jar
commons-logging-1.2.jar commons-logging-1.2.jar
guava-13.0.1.jar guava-29.0-jre.jar
hadoop-annotations-3.1.0.jar hadoop-annotations-3.3.0.jar
hadoop-auth-3.1.0.jar hadoop-auth-3.3.0.jar
hadoop-common-3.1.0.jar hadoop-common-3.3.0.jar
hadoop-hdfs-3.1.0.jar hadoop-hdfs-3.3.0.jar
hadoop-hdfs-client-3.1.0.jar hadoop-hdfs-client-3.3.0.jar
hadoop-shaded-protobuf_3_7-1.0.0.jar
htrace-core4-4.2.0-incubating.jar htrace-core4-4.2.0-incubating.jar
httpcore-4.4.11.jar httpcore-4.4.13.jar
jackson-annotations-2.10.2.jar jackson-annotations-2.11.2.jar
jackson-core-2.10.2.jar jackson-core-2.11.2.jar
jackson-core-asl-1.9.13.jar
jackson-databind-2.10.2.jar jackson-databind-2.11.2.jar
jackson-mapper-asl-1.9.13.jar
jersey-core-1.19.4.jar jersey-core-1.19.4.jar
jersey-server-1.19.4.jar jersey-server-1.19.4.jar
jsr311-api-1.1.1.jar jsr311-api-1.1.1.jar
protobuf-java-3.9.1.jar protobuf-java-3.13.0.jar
re2j-1.3.jar re2j-1.4.jar
servlet-api-2.5.jar javax.servlet-api-4.0.1.jar
slf4j-api-1.7.26.jar slf4j-api-1.7.30.jar
slf4j-log4j12-1.7.26.jar slf4j-log4j12-1.7.30.jar
stax2-api-4.2.jar stax2-api-4.2.1.jar
woodstox-core-5.0.3.jar woodstox-core-6.2.1.jar
There are 3 new libraries:
commons-compress-1.20.jar
hadoop-shaded-protobuf_3_7-1.0.0.jar
javax.servlet-api-4.0.1.jar.
17 Libraries must be updated.
2 Libraries (jackson-core-asl-1.9.13.ja, jackson-mapper-asl-1.9.13.jar ) must be deleted from the pom.xml list.
2 JAVA classes must be updated to use the new libraries:
com.ibm.streamsx.hdfs/impl/java/src/com/ibm/streamsx/hdfs/client/webhdfs/JsonUtil.java
com.ibm.streamsx.hdfs/impl/java/src/com/ibm/streamsx/hdfs/client/webhdfs/WebHdfsFileSystem.java
The streamsx.hdfs vulnerability issue (#129) corrected in version 5.3.0
https://github.com/IBMStreams/streamsx.hdfs/releases/tag/v5.3.0