[HDDS-10600] Bump nimbus-jose-jwt version - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Done
Affects Version/s: 1.5.0
Fix Version/s: 1.5.0, 1.4.1
Component/s: None
Labels:
- pull-request-available

Target Version/s:

1.4.1

Description

It's a continuation of the investigation made in ~~HDDS-10589~~
hdds-hadoop-dependency-(client|server) modules depend on hadoop-common, the latter depends on com.nimbusds:nimbus-jose-jwt:9.8.1 (through org.apache.hadoop:hadoop-auth).

The 9.8.1th version of the com.nimbusds:nimbus-jose-jwt library contains a shaded version of the net.minidev:json-smart:1.3.2 (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/815b98228df7be7b918ae368ea003a034768f769/pom.xml#lines-59) that has a CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-31684.

The nearest version of the nimbus-jose-jwt that doesn't have the CVE is 9.24 - there the json-smart library was replaced with com.google.code.gson:gson.
Hence, we need to exclude nimbus-jose-jwt dependency from the hadoop-common transitive dependencies list in hdds-hadoop-dependency-(client|server) modules and include it directly with the certain version (9.24)

Attachments

Issue Links

is related to

HADOOP-19115 upgrade to nimbus-jose-jwt 9.37.2 due to CVE

Resolved

HADOOP-18711 upgrade nimbus jwt jar due to issues in its embedded shaded json-smart code

Resolved

links to

GitHub Pull Request #6454

Activity

People

Assignee:: Vyacheslav Tutrinov

Reporter:: Vyacheslav Tutrinov

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 27/Mar/24 13:15

Updated:: 10/Apr/24 08:13

Resolved:: 28/Mar/24 19:09