You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Jerry Chabot (JIRA)" <ji...@apache.org> on 2018/12/21 15:27:00 UTC

[jira] [Created] (PHOENIX-5078) Phoenix depends on Guava 13.0.0 which has CVE-2018-10237

Jerry Chabot created PHOENIX-5078:
-------------------------------------

             Summary: Phoenix depends on Guava 13.0.0 which has CVE-2018-10237
                 Key: PHOENIX-5078
                 URL: https://issues.apache.org/jira/browse/PHOENIX-5078
             Project: Phoenix
          Issue Type: Bug
    Affects Versions: 4.14.1
            Reporter: Jerry Chabot


Phoenix has a dependency on guava 13.0.1. This cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237 specifies a vulnerability in Guava 11.0 through 24.x. It is an unbounded memory allocation that allows remote attackers to conduct denial of service attacks. Does this apply to Phoenix?

I want to upgrade our product dependency on Guava. But, doing so had caused problems with Phoenix in the past. Currently, our product's quava dependency has been stuck at Guava 15.0 to avoid Phoenix issues.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)