Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade hadoop client to fix vulnerability #50

Closed
kaklakariada opened this issue Oct 5, 2022 · 5 comments · Fixed by #61
Closed

Upgrade hadoop client to fix vulnerability #50

kaklakariada opened this issue Oct 5, 2022 · 5 comments · Fixed by #61
Assignees
@morazow @kaklakariada
Labels
security

Comments

@kaklakariada
Copy link
Collaborator

kaklakariada commented Oct 5, 2022
edited
Loading

Upgrade Hadoop as soon as a fixed version is available.
See https://ossindex.sonatype.org/vulnerability/sonatype-2022-5732

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project parquet-io-java: Detected 1 vulnerable components:
Error:    org.apache.hadoop:hadoop-hdfs-client:jar:3.3.4:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.hadoop/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (8.6); https://ossindex.sonatype.org/vulnerability/sonatype-2022-5732

Check https://search.maven.org/artifact/org.apache.hadoop/hadoop-hdfs-client for new Hadoop versions.
@kaklakariada kaklakariada added the bug Unwanted / harmful behavior label Oct 5, 2022
@ckunki ckunki added security and removed bug Unwanted / harmful behavior labels Oct 24, 2022
@ckunki
Copy link
Contributor

ckunki commented Jan 10, 2023

Vulnerability is reported for reading XML data while payload for virtual-schema-common-document-files only supports formats json, csv, and parquet.

@redcatbear
Copy link

redcatbear commented Jan 30, 2023
edited
Loading

I just checked and 3.3.4 is still the latest version of the hadoop-hdfs-client: See release list.

@redcatbear
Copy link

Still no new release of the Hadoop HDFS Client.

1 similar comment
@redcatbear
Copy link

Still no new release of the Hadoop HDFS Client.

@morazow
Copy link
Contributor

morazow commented Apr 12, 2023
edited
Loading

I just checked this, unfortunately, the latest 3.3.5 version still contains the vulnerability:

[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project parquet-io-java: Detected 1 vulnerable components:
[ERROR]   org.apache.hadoop:hadoop-hdfs-client:jar:3.3.5:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.hadoop/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]     * 1 vulnerability found (8.6); https://ossindex.sonatype.org/vulnerability/sonatype-2022-5732
[ERROR]

@Nicoretti Nicoretti removed the blocked:yes Currently blocked by another ticket label Jun 22, 2023
morazow added a commit that referenced this issue Jun 28, 2023
@morazow
Upgraded hadoop-client dependency to fix CVE
383184c 
Fixes #50
@morazow morazow self-assigned this Jun 28, 2023
@morazow morazow mentioned this issue Jun 28, 2023
Merged
@kaklakariada kaklakariada self-assigned this Jun 28, 2023
morazow added a commit that referenced this issue Jun 28, 2023
@morazow
#50: Upgraded hadoop-client dependency to fix CVE (#61)
dfc015f 
Fixes #50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@morazow morazow

@kaklakariada kaklakariada

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#50: Upgraded hadoop-client dependency to fix CVE exasol/parquet-io-java
5 participants
@redcatbear @Nicoretti @morazow @kaklakariada @ckunki