Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-19074

Transitive dependencies with CVEs in Hadoop distro

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.4.0
    • None
    • build
    • Patch, Important

    Description

      Our ongoing security scans are turning up several long-standing CVEs, even in the most recent version of Hadoop, which is making it difficult for us to use Hadoop in our echo system. A comprehensive list of all the long-standing CVEs and the JARs holding them is attached. I'm asking for community assistance to address these high-risk vulnerabilities as soon as possible.

       

      Vulnerability ID Severity Package name Package version Package type Package path Package suggested fix
      CVE-2023-2976 High com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 12.0.1 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/guava-12.0.1.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/common/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2022-25647 High com.google.code.gson:gson 2.8.5 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/hbase-shaded-gson-3.0.0.jar v2.8.9
      CVE-2022-3171 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2022-3171 High com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2022-3171 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-guava-1.1.1.jar v3.16.3
      CVE-2022-3171 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2023-39410 High org.apache.avro:avro 1.9.2 java /hadoop-3.4.0/share/hadoop/hdfs/lib/avro-1.9.2.jar v1.11.3
      CVE-2023-39410 High org.apache.avro:avro 1.9.2 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v1.11.3
      CVE-2023-39410 High org.apache.avro:avro 1.9.2 java /hadoop-3.4.0/share/hadoop/common/lib/avro-1.9.2.jar v1.11.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2018-10237 Medium com.google.guava:guava 12.0.1 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/guava-12.0.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/common/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 12.0.1 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/guava-12.0.1.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 12.0.1 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/guava-12.0.1.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/common/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v32.0.0-android
      CVE-2023-2976 High com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2022-25647 High com.google.code.gson:gson 2.8.5 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/hbase-shaded-gson-3.0.0.jar v2.8.9
      CVE-2022-3171 High com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2022-3171 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3171 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3171 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3509 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2022-3510 High com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2023-39410 High org.apache.avro:avro 1.9.2 java /hadoop-3.4.0/share/hadoop/hdfs/lib/avro-1.9.2.jar v1.11.3
      CVE-2023-39410 High org.apache.avro:avro 1.9.2 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v1.11.3
      CVE-2023-39410 High org.apache.avro:avro 1.9.2 java /hadoop-3.4.0/share/hadoop/common/lib/avro-1.9.2.jar v1.11.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2021-22570 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 2.5.0 java /hadoop-3.4.0/share/hadoop/yarn/lib/protobuf-java-2.5.0.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2021-22569 Medium com.google.protobuf:protobuf-java 3.7.1 java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-protobuf_3_7-1.1.1.jar v3.16.3
      CVE-2018-10237 Medium com.google.guava:guava 12.0.1 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/guava-12.0.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/common/lib/hadoop-shaded-guava-1.1.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 30.1.1-jre java /hadoop-3.4.0/share/hadoop/client/hadoop-client-runtime-3.4.0-SNAPSHOT.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 12.0.1 java /hadoop-3.4.0/share/hadoop/yarn/timelineservice/lib/guava-12.0.1.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/common/lib/guava-27.0-jre.jar v32.0.0-android
      CVE-2020-8908 Low com.google.guava:guava 27.0-jre java /hadoop-3.4.0/share/hadoop/hdfs/lib/guava-27.0-jre.jar v32.0.0-android

      Attachments

        1. HADOOP_CVE_LIST.xlsx
          12 kB
          Prathap Sagar S

        Issue Links

          links to

          Web Link GitHub Pull Request #6586

          Activity

            People

              Unassigned Unassigned
              prathapsagars Prathap Sagar S
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: