Merge pull request #8040 from microsoft/users/v-shufeng/fix-CVE-202311

fengshuaihu · web-flow · commit c8e76ec9a3fe · 2023-12-04T15:49:08.000+08:00
fix 202311 CVE issue
diff --git a/Utils/azure-toolkit-ide-hdinsight-libs/hdinsight-node-common/pom.xml b/Utils/azure-toolkit-ide-hdinsight-libs/hdinsight-node-common/pom.xml
@@ -226,12 +226,22 @@
                     <groupId>org.xerial.snappy</groupId>
                     <artifactId>snappy-java</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.zookeeper</groupId>
+                    <artifactId>zookeeper</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency><!-- hadoop-common 3.3.3 CVE-2023-34455 -->
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
         </dependency>
+        <dependency><!-- hadoop-common 3.3.3 CVE-2023-44981 -->
+            <groupId>org.apache.zookeeper</groupId>
+            <artifactId>zookeeper</artifactId>
+            <scope>provided</scope>
+            <version>3.7.2</version>
+        </dependency>
         <dependency>
             <groupId>com.microsoft.azure</groupId>
             <artifactId>azure-client-runtime</artifactId>
diff --git a/Utils/azure-toolkit-ide-hdinsight-libs/spark-localrun-mock/pom.xml b/Utils/azure-toolkit-ide-hdinsight-libs/spark-localrun-mock/pom.xml
@@ -222,12 +222,22 @@
                     <groupId>org.xerial.snappy</groupId>
                     <artifactId>snappy-java</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.zookeeper</groupId>
+                    <artifactId>zookeeper</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency><!-- hadoop-common 3.3.3 CVE-2023-34455 -->
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
         </dependency>
+        <dependency><!-- hadoop-common 3.3.3 CVE-2023-44981 -->
+            <groupId>org.apache.zookeeper</groupId>
+            <artifactId>zookeeper</artifactId>
+            <scope>provided</scope>
+            <version>3.7.2</version>
+        </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
             <artifactId>jmockit</artifactId>
@@ -321,6 +331,14 @@
                     <groupId>org.apache.ivy</groupId>
                     <artifactId>ivy</artifactId>
                 </exclusion>
+                <exclusion><!-- CVE-2023-44487 -->
+                    <groupId>io.netty</groupId>
+                    <artifactId>netty-codec-http2</artifactId>
+                </exclusion>
+                <exclusion><!-- CVE-2023-34462 -->
+                    <groupId>io.netty</groupId>
+                    <artifactId>netty-handler</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
