fix(hbase): CVE-34455

razvan · razvan · commit 0a3f0f09916e · 2024-11-13T15:43:01.000+01:00
diff --git a/hbase/stackable/patches/phoenix/5.2.0/02-CVE-2023-34455-update-snappy-version.patch b/hbase/stackable/patches/phoenix/5.2.0/02-CVE-2023-34455-update-snappy-version.patch
@@ -0,0 +1,97 @@
+Fix CVE-2023-34455
+
+See https://github.com/stackabletech/vulnerabilities/issues/558
+
+diff --git a/phoenix-core-client/pom.xml b/phoenix-core-client/pom.xml
+index f711b0f6f..3cfbffef9 100644
+--- a/phoenix-core-client/pom.xml
++++ b/phoenix-core-client/pom.xml
+@@ -230,6 +230,12 @@
+       <groupId>org.apache.hadoop</groupId>
+       <artifactId>hadoop-auth</artifactId>
+     </dependency>
++    <!-- Fix CVE-2023-34455 -->
++    <dependency>
++      <groupId>org.xerial.snappy</groupId>
++      <artifactId>snappy-java</artifactId>
++      <version>1.1.10.4</version>
++    </dependency>
+ 
+     <!-- HBase dependencies -->
+     <dependency>
+diff --git a/phoenix-core-server/pom.xml b/phoenix-core-server/pom.xml
+index d5032ece2..e47fb0837 100644
+--- a/phoenix-core-server/pom.xml
++++ b/phoenix-core-server/pom.xml
+@@ -59,6 +59,12 @@
+             <groupId>org.apache.hadoop</groupId>
+             <artifactId>hadoop-mapreduce-client-core</artifactId>
+         </dependency>
++        <!-- Fix CVE-2023-34455 -->
++        <dependency>
++          <groupId>org.xerial.snappy</groupId>
++          <artifactId>snappy-java</artifactId>
++          <version>1.1.10.4</version>
++        </dependency>
+ 
+         <!-- HBase dependencies -->
+         <dependency>
+@@ -192,4 +198,4 @@
+             </plugin>
+         </plugins>
+     </build>
+-</project>
+\ No newline at end of file
++</project>
+diff --git a/phoenix-pherf/pom.xml b/phoenix-pherf/pom.xml
+index c03fff9a1..cdcce2f98 100644
+--- a/phoenix-pherf/pom.xml
++++ b/phoenix-pherf/pom.xml
+@@ -159,6 +159,12 @@
+       <groupId>org.apache.hbase</groupId>
+       <artifactId>hbase-server</artifactId>
+     </dependency>
++    <!-- Fix CVE-2023-34455 -->
++    <dependency>
++      <groupId>org.xerial.snappy</groupId>
++      <artifactId>snappy-java</artifactId>
++      <version>1.1.10.4</version>
++    </dependency>
+ 
+     <!-- Test Dependencies -->
+     <dependency>
+diff --git a/phoenix-tracing-webapp/pom.xml b/phoenix-tracing-webapp/pom.xml
+index d2d1549ef..c8054159e 100755
+--- a/phoenix-tracing-webapp/pom.xml
++++ b/phoenix-tracing-webapp/pom.xml
+@@ -89,6 +89,12 @@
+         <groupId>org.apache.hbase</groupId>
+         <artifactId>hbase-common</artifactId>
+       </dependency>
++      <!-- Fix CVE-2023-34455 -->
++      <dependency>
++        <groupId>org.xerial.snappy</groupId>
++        <artifactId>snappy-java</artifactId>
++        <version>1.1.10.4</version>
++      </dependency>
+     </dependencies>
+ 
+     <build>
+diff --git a/pom.xml b/pom.xml
+index 4abcb5a28..21dcf71ad 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -850,6 +850,13 @@
+           </exclusion>
+         </exclusions>
+       </dependency>
++      <!-- Fix CVE-2023-34455 -->
++      <dependency>
++        <groupId>org.xerial.snappy</groupId>
++        <artifactId>snappy-java</artifactId>
++        <version>1.1.10.4</version>
++      </dependency>
++
+       <dependency>
+         <groupId>org.apache.hadoop</groupId>
+         <artifactId>hadoop-common</artifactId>
diff --git a/hbase/stackable/patches/phoenix/5.2.0/series b/hbase/stackable/patches/phoenix/5.2.0/series
@@ -1 +1,2 @@
 01-cyclonedx-plugin.patch
+02-CVE-2023-34455-update-snappy-version.patch

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`01-cyclonedx-plugin.patch`
	`2`	`+02-CVE-2023-34455-update-snappy-version.patch`