hazelcast-jet
hazelcast-jet copied to clipboard
Vulnerabilities in AWS Java SDK Bundle used by Jet master
Jet uses AWS Java SDK Bundle 1.11.934
which has shaded some artifacts with vulnerabilities.
It shades com.fasterxml.jackson.core:jackson-databind:2.6.7.4
which includes following vulnerabilities:
- CVE-2020-35491 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in 2.9.10.8)
- CVE-2020-35490 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in 2.9.10.8)
- CVE-2018-7489 - https://nvd.nist.gov/vuln/detail/CVE-2020-35491 (fixed in before 2.7.9.3, 2.8.11.1, 2.9.5)
It shades com.amazonaws:aws-java-sdk-prometheus:1.11.934
which includes following vulnerabilities:
- CVE-2019-3826 - https://nvd.nist.gov/vuln/detail/CVE-2019-3826 (fixed in 2.7.1)
It shades com.fasterxml.jackson.core:jackson-annotations:2.6.0
and com.fasterxml.jackson.core:jackson-core:2.6.7
which includes following vulnerabilities:
- CVE-2018-1000873 - https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 (fixed in 2.9.8)
It shades io.netty:netty-transport:4.1.53.Final
which includes following vulnerabilities:
- CVE-2021-21290 - https://nvd.nist.gov/vuln/detail/CVE-2021-21290 (fixed in 4.1.59.Final)
We already use the latest, as of today, version of AWS Java SDK Bundle (1.11.976) - #2989 addressed the Netty part.
There is a new reported CVE for this version.
AWS Java SDK Bundle 1.11.976
shades com.amazonaws:aws-java-sdk-storagegateway:1.11.976
which includes following vulnerability:
- CVE-2021-20291 - https://nvd.nist.gov/vuln/detail/CVE-2021-20291
There is a new reported CVE for this version.
AWS Java SDK Bundle 1.11.976
shades io.netty:netty-transport:4.1.59.Final
which includes following vulnerability:
- CVE-2021-21409 - https://nvd.nist.gov/vuln/detail/CVE-2021-21409
- CVE-2021-21295 - https://nvd.nist.gov/vuln/detail/CVE-2021-21295
In Jet 4.5.2 we migrated to AWS Java SDK Bundle 1.12.128
which has shaded some artifacts with vulnerabilities.
It shades com.amazonaws:aws-java-sdk-prometheus:1.12.128
which includes following vulnerabilities:
- CVE-2019-3826 - https://nvd.nist.gov/vuln/detail/CVE-2019-3826 (fixed in 2.7.1)
It shades com.amazonaws:aws-java-sdk-storagegateway:1.12.128
which includes following vulnerabilities:
- CVE-2021-20291 - https://nvd.nist.gov/vuln/detail/CVE-2021-20291 (fixed in 1.28.1)
It shades io.netty:netty-transport:4.1.68.Final
which includes following vulnerabilities:
- CVE-2021-43797 - https://nvd.nist.gov/vuln/detail/CVE-2021-43797 (fixed in 4.1.7.1.Final)