[jira] [Commented] (HADOOP-17844) Upgrade JSON smart to 2.4.7

Thu, 16 Mar 2023 15:13:05 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-17844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17701408#comment-17701408
 ] 

ASF GitHub Bot commented on HADOOP-17844:
-----------------------------------------

degant commented on PR #3299:
URL: https://github.com/apache/hadoop/pull/3299#issuecomment-1472825586

   @steveloughran as pointed out by @sangys there are still 3 jars as part of 
hadoop 3.3.4 that include json-smart 1.3.2. As a result hadoop 3.3.4 continues 
to get flagged for 
[CVE-2021-31684](https://github.com/advisories/GHSA-fg2v-w576-w4v3)
   
   I used the below to check all versions of json-smart inside all packages:
   ```
   jar_files=$(find . -iname "*.jar" | xargs -I '{}' sh -c "jar tf '{}' | grep 
-e 'json-smart' -q --label='{}' && echo '{}' ")
   echo "$jar_files" | xargs -I '{}' sh -c "bsdtar -xO -f '{}' 
'META-INF/maven/net.minidev/json-smart/pom.properties' | grep -i version && 
echo '{}'"
   ```
   which returns
   
   > version=1.3.2
   > ./share/hadoop/client/hadoop-client-runtime-3.3.4.jar
   > version=1.3.2
   > ./share/hadoop/hdfs/lib/nimbus-jose-jwt-9.8.1.jar
   > version=2.4.7
   > ./share/hadoop/hdfs/lib/json-smart-2.4.7.jar
   > version=1.3.2
   > ./share/hadoop/common/lib/nimbus-jose-jwt-9.8.1.jar
   > version=2.4.7
   > ./share/hadoop/common/lib/json-smart-2.4.7.jar
   
   hadoop-client-runtime-3.3.4 and nimbus-jose-jwt-9.8.1 both include the 
shaded json-smart 1.3.2




> Upgrade JSON smart to 2.4.7
> ---------------------------
>
>                 Key: HADOOP-17844
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17844
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Renukaprasad C
>            Assignee: Renukaprasad C
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0, 3.2.3, 3.3.2
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> Currently we are using JSON Smart 2.4.2 version which is vulnerable to - 
> CVE-2021-31684.
> We can upgrade the version to 2.4.7 (2.4.5 or later).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to