You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@storm.apache.org by "Alexandre Vermeerbergen (Jira)" <ji...@apache.org> on 2023/05/13 15:28:00 UTC

[jira] [Closed] (STORM-3918) Bump snakeyaml from 1.32 to 2.0

     [ https://issues.apache.org/jira/browse/STORM-3918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexandre Vermeerbergen closed STORM-3918.
------------------------------------------
    Resolution: Fixed

Sorry for duplicate JIRA

> Bump snakeyaml from 1.32 to 2.0
> -------------------------------
>
>                 Key: STORM-3918
>                 URL: https://issues.apache.org/jira/browse/STORM-3918
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-core
>    Affects Versions: 2.4.0
>            Reporter: Alexandre Vermeerbergen
>            Assignee: Alexandre Vermeerbergen
>            Priority: Critical
>
> Current snakeyaml version is vulnerable to [CVE-2022-1471|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471] which is rated [9.8 CRITICAL|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-1471&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST] by NIST.
> Trivial fix is to update to snakeyaml 2.0.
> I tried to manually replace existing snakeyaml JAR with 2.0 version (but keeping the same JAR file name to avoid issue with potentially hard coded CLASSPATH), and then I restarted all Storm related processes (Nimbus, logview, Supervisor, Nimbus UI...) and deployed some topologies => everything worked fine
> So it looks like a trivial task
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)