[ASTERIXDB-3057][OTH]: Upgrade to jetty-util 9.4.48 to address CVEs
Details:
- CVEs:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2047
- https://nvd.nist.gov/vuln/detail/CVE-2022-2048
Change-Id: I98a042024a31208e074a074657457efba781306b
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17043
Reviewed-by: Hussain Towaileb <hussainht@gmail.com>
Reviewed-by: Michael Blow <mblow@apache.org>
Tested-by: Hussain Towaileb <hussainht@gmail.com>
diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml
index dbb2382..95ff315 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -542,6 +542,16 @@
<groupId>io.netty</groupId>
<artifactId>netty-transport-native-unix-common</artifactId>
</dependency>
+ <!-- TODO(htowaileb): removed from hadoop transitively and added separately to avoid CVEs, can
+ be removed once upgraded to hadoop 3.3.4 as it addresses the CVEs -->
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </dependency>
</dependencies>
<!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
<repositories>
diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index 4d9d182..cd90712 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml
@@ -1003,6 +1003,15 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1066,6 +1075,15 @@
<groupId>javax.ws.rs</groupId>
<artifactId>jsr311-api</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1109,6 +1127,15 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1136,6 +1163,11 @@
<groupId>org.jline</groupId>
<artifactId>jline</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1174,6 +1206,15 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1198,6 +1239,15 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -1939,8 +1989,32 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-azure</artifactId>
<version>${hadoop.version}</version>
+ <exclusions>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<!-- Hadoop Azure end -->
+
+ <!-- TODO(htowaileb): removed from hadoop transitively and added separately to avoid CVEs, can
+ be removed once upgraded to hadoop 3.3.4 as it addresses the CVEs -->
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ <version>9.4.48.v20220622</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ <version>9.4.48.v20220622</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
index 985515c..b16904d 100644
--- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
+++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
@@ -163,6 +163,15 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -185,6 +194,11 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml
index ccd1de5..4345a1d 100644
--- a/hyracks-fullstack/pom.xml
+++ b/hyracks-fullstack/pom.xml
@@ -181,6 +181,15 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -196,6 +205,15 @@
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -207,12 +225,28 @@
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-mapreduce-client-core</artifactId>
<version>${hadoop.version}</version>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusions>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
@@ -225,6 +259,11 @@
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
+ <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 -->
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -414,6 +453,18 @@
<artifactId>snappy-java</artifactId>
<version>${snappy.version}</version>
</dependency>
+ <!-- TODO(htowaileb): removed from hadoop transitively and added separately to avoid CVEs, can
+ be removed once upgraded to hadoop 3.3.4 as it addresses the CVEs -->
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ <version>9.4.48.v20220622</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util-ajax</artifactId>
+ <version>9.4.48.v20220622</version>
+ </dependency>
</dependencies>
</dependencyManagement>
<build>