Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-18067 Über-jira: S3A Hadoop 3.3.5 features
  3. HADOOP-18344

AWS SDK update to 1.12.262 to address jackson CVE-2018-7489 and AWS CVE-2022-31159

    XMLWordPrintableJSON

Details

    • Reviewed
    • The AWS SDK has been updated to 1.12.262 to address jackson CVE-2018-7489

    Description

      The CVE CVE-2022-31159 is a vulnerability in path resolution in the AWS SDK transfer manager during downloads.

      the s3a client is not exposed to this. it uses the class for local file upload and for object copying, but not download.

      it may affect downstream use by other applications.

      yet another jackson CVE in aws sdk
      https://github.com/apache/hadoop/pull/4491/commits/5496816b472473eb7a9c174b7d3e69b6eee1e271

      maybe we need to have a list of all shaded jackson's we get on the CP and have a process of upgrading them all at the same time

      Attachments

        Issue Links

          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-18393 Hadoop 3.3.2 has CVEs coming from dependencies

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Wish - General wishlist item. HADOOP-18350 Support for hadoop-aws with aws-java-sdk-bundle with version greater than 1.12.220

          • Major - Major loss of function.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. SPARK-39969 Spark AWS SDK and kinesis dependencies lagging hadoop-aws and s3a

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          relates to

          Sub-task - The sub-task of the issue HADOOP-18372 ILoadTestS3ABulkDeleteThrottling failing

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          links to

          Web Link GitHub Pull Request #4637

          Web Link GitHub Pull Request #4645

          Web Link GitHub Pull Request #4646

          Activity

            People

              stevel@apache.org Steve Loughran
              stevel@apache.org Steve Loughran
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4.5h
                  4.5h