hazelcast-jet icon indicating copy to clipboard operation
hazelcast-jet copied to clipboard

Published 20 hours ago verified publisher icon hazelcast

Vulnerabilities in parquet-jackson used by Jet

Open olukas opened this issue 2 years ago • 1 comments

Jet uses parquet-jackson in version 1.12.3 which shades com.fasterxml.jackson.core:jackson-databind:2.13.2.2 which includes following vulnerabilities:

  • CVE-2022-42003 - https://nvd.nist.gov/vuln/detail/CVE-2022-42003
  • CVE-2022-42004 - https://nvd.nist.gov/vuln/detail/CVE-2022-42004

It's the same as https://github.com/hazelcast/hazelcast/issues/22407#issuecomment-1268404278

olukas avatar Dec 06 '22 08:12 olukas

Fix is not possible for 4.5.4 - there is no version of parquet-java that fixes the vunerability. Previous versions are shading even more vunerable version of databind.

TomaszGaweda avatar Dec 06 '22 10:12 TomaszGaweda