Details
-
Bug
-
Status: Open
-
Blocker
-
Resolution: Unresolved
-
3.5.1
-
None
Description
We have some HIGH CVEs which are coming from hadoop-client-runtime 3.3.4 and hence we need to address those
com.fasterxml.jackson.core:jackson-databind causing CVE-2022-42003 and CVE-2022-42004
(org.apache.hadoop_hadoop-client-runtime-3.3.4.jar)
com.google.protobuf:protobuf-java
(org.apache.hadoop_hadoop-client-runtime-3.3.4.jar) causing CVE-2021-22569, CVE-2021-22570, CVE-2022-3509 and CVE-2022-3510
net.minidev:json-smart causing CVE-2021-31684, CVE-2023-1370
(org.apache.hadoop_hadoop-client-runtime-3.3.4.jar)
org.apache.avro:avro
(org.apache.hadoop_hadoop-client-runtime-3.3.4.jar) causing CVE-2023-39410
org.apache.commons:commons-compress causing CVE-2024-25710, CVE-2024-26308
(org.apache.hadoop_hadoop-client-runtime-3.3.4.jar)
Most of these have gone in hadoop client runtime 3.4.0
Is there a plan to support hadoop 3.4.0 ?
Attachments
Issue Links
- is a clone of
-
-
- Resolved
-
- is cloned by
-
FLUME-3481 Extend spark 3.5.1 to support hadoop-client-api 3.4.0, hadoop-client-runtime-3.4.0
-
- Closed
-