Vulnerability in hadoop-shaded-guava-1.1.1.jar (shaded: com.google.guava:guava:30.1.1-jre) #24981

Patras3 · 2023-07-06T16:53:14Z

CVE-2023-2976

Referenced In Projects/Scopes:
hazelcast-jet-files-s3:compile
hazelcast-jet-hadoop-dist:compile
hazelcast-distribution:compile
hazelcast-jet-files-gcs:compile
hazelcast-jet-files-azure:compile
hazelcast-jet-hadoop-all:compile

This vulnerability was found for all supported branches except 4.2.z

There is no update available yet on Hadoop side:
https://mvnrepository.com/artifact/org.apache.hadoop.thirdparty/hadoop-shaded-guava
and I was not able to find corresponding task in their jira.

The text was updated successfully, but these errors were encountered:

gbarnett-hz · 2024-06-28T09:42:24Z

hadoop-shaded-guava 1.2.0 is using Guava 32.0.1-jre which looks to have the CVE fixed.

$ cat META-INF/DEPENDENCIES
// ------------------------------------------------------------------
// Transitive dependencies of this project determined from the
// maven pom organized by organization.
// ------------------------------------------------------------------

Apache Hadoop shaded Guava


From: 'an unknown organization'
  - FindBugs-jsr305 (http://findbugs.sourceforge.net/) com.google.code.findbugs:jsr305:jar:3.0.2
    License: The Apache Software License, Version 2.0  (http://www.apache.org/licenses/LICENSE-2.0.txt)
  - Guava InternalFutureFailureAccess and InternalFutures (https://github.com/google/guava/failureaccess) com.google.guava:failureaccess:bundle:1.0.1
    License: The Apache Software License, Version 2.0  (http://www.apache.org/licenses/LICENSE-2.0.txt)
  - Guava: Google Core Libraries for Java (https://github.com/google/guava) com.google.guava:guava:bundle:32.0.1-jre
    License: Apache License, Version 2.0  (http://www.apache.org/licenses/LICENSE-2.0.txt)
  - Guava ListenableFuture only (https://github.com/google/guava/listenablefuture) com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava
    License: The Apache Software License, Version 2.0  (http://www.apache.org/licenses/LICENSE-2.0.txt)
  - J2ObjC Annotations (https://github.com/google/j2objc/) com.google.j2objc:j2objc-annotations:jar:2.8
    License: Apache License, Version 2.0  (http://www.apache.org/licenses/LICENSE-2.0.txt)
  - Checker Qual (https://checkerframework.org/) org.checkerframework:checker-qual:jar:3.33.0
    License: The MIT License  (http://opensource.org/licenses/MIT)

From: 'Google LLC' (http://www.google.com)
  - error-prone annotations (https://errorprone.info/error_prone_annotations) com.google.errorprone:error_prone_annotations:jar:2.18.0
    License: Apache 2.0  (http://www.apache.org/licenses/LICENSE-2.0.txt)

…[5.3.z] (#2561) Fixes #22541 Fixes #24981 Fixes #26354 Closes https://hazelcast.atlassian.net/browse/REL-279 Backports https://github.com/hazelcast/hazelcast-mono/pull/2467 Notes: 1. apache/parquet-java@274dc51b has broken `ParquetWriter#close()`. See also: https://issues.apache.org/jira/browse/PARQUET-2496 and apache/parquet-java#2935. 2. `hadoop2` classifier has been removed from `avro-mapred`. See also: https://github.com/hazelcast/hazelcast-mono/pull/834. 3. Upgrades `software.amazon.awssdk` from 2.20.95 to 2.24.13. 4. Upgrades `maven-shade-plugin` to 3.6.0 because `org.apache.parquet:parquet-jackson:1.14.1` has classes compiled with Java 21. 5. Allows `MIT-0` license, which is used by `org.reactivestreams:reactive-streams:1.0.4`. See also: #25325. 6. Adds `jar-with-dependencies` classifier to `hazelcast-jet-kafka` and `hazelcast-jet-mongodb` in enterprise-sql-it/pom.xml because `animal-sniffer-maven-plugin` cannot find some transitive dependencies (`kafka-clients` and `mongodb-driver-sync`) in `mvn verify` (it can find them in `mvn install`). See also: https://hazelcast.slack.com/archives/C07066ELRRD/p1720539966962809. GitOrigin-RevId: e838e0abe0123ef6580d31ada5e675dab1526c20

…#2571) Fixes #22541 Fixes #24981 Fixes #26354 Closes https://hazelcast.atlassian.net/browse/REL-257 Forwardports https://github.com/hazelcast/hazelcast-mono/pull/2467 Notes: 1. apache/parquet-java@274dc51b has broken `ParquetWriter#close()`. See also: https://issues.apache.org/jira/browse/PARQUET-2496 and apache/parquet-java#2935. 2. Adds `jdk8` classifier to `jline` because it contains classes compiled with Java 22, which breaks the build. See also: jline/jline3#937 (comment). GitOrigin-RevId: 519e71667822b3fd7d2c7cf654f261a8a238d583

Patras3 added Type: Defect Source: Internal PR or issue was opened by an employee security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues Team: Integration labels Jul 6, 2023

Patras3 added this to the 5.4 Backlog milestone Jul 6, 2023

AyberkSorgun modified the milestones: 5.4 Backlog, Backlog Apr 8, 2024

burakgok closed this as completed Jul 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability in hadoop-shaded-guava-1.1.1.jar (shaded: com.google.guava:guava:30.1.1-jre) #24981

Vulnerability in hadoop-shaded-guava-1.1.1.jar (shaded: com.google.guava:guava:30.1.1-jre) #24981

Patras3 commented Jul 6, 2023

gbarnett-hz commented Jun 28, 2024

Vulnerability in hadoop-shaded-guava-1.1.1.jar (shaded: com.google.guava:guava:30.1.1-jre) #24981

Vulnerability in hadoop-shaded-guava-1.1.1.jar (shaded: com.google.guava:guava:30.1.1-jre) #24981

Comments

Patras3 commented Jul 6, 2023

gbarnett-hz commented Jun 28, 2024