Vulnerabilities in jquery used by Jet master

[olukas]

trafficstars

Jet uses org.apache.avro:avro-ipc in version 1.9.2 which includes jquery-1.4.2.min.js which has some vulnerabilities - https://ossindex.sonatype.org/component/pkg:npm/[email protected] (but cannot be display on that page). Maybe they are following - https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/version_id-235481/Jquery-Jquery-1.4.2.html.

Jet use org.apache.hadoop:hadoop-yarn-common in version 3.3.0 which includes jquery-3.4.1.min.js which has some vulnerabilities - https://ossindex.sonatype.org/component/pkg:npm/[email protected] (but cannot be display on that page). Maybe they are following - https://snyk.io/vuln/npm:[email protected].

This issue should be probably discussed with @kwart as ou security expert.

[kwart]

1.4.2.min:

3.4.1.min:

[kwart]

Please do the evaluation within the Jet team and check if there is a way to upgrade to a safer version(s).

[gierlachg]

We could update Avro libraries to 1.10.2 (see also #2950). However, from what I see, 1.10.2 contains jquery-1.4.2.min.js as well.

Regarding the second part, version 3.3.0 of Hadoop is the latest, as of today.

[frant-hartm]

I wonder if we should mark these vulnerabilities as false positives - the reason is that libraries like hadoop-yarn-common are used both in server distribution of hadoop, where they serve the javascript to the user and in applications connecting to hadoop, where they are not used.

Alternatively we could exclude the js files from our extension fat jars during shading.

[olukas]

NOTE: For Jet 4.5 for some reason OWASP evaluated this vulnerability as dependency:

• hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar: jquery-1.4.2.min.js
• hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar: jquery-3.4.1.min.js

but it seems to be the same dependency just reported in the different way.