guava-16.0.1 and guav-19.0 vulnerability CVE-2018-10237

[davydotcom]

CVE-2018-10237

ElasticSearch guava version needs updated to 24.1.1 to resolve another CVE
https://nvd.nist.gov/vuln/detail/CVE-2018-10237

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Core)

[rjernst]

I've been going through all the uses of guava. These are all indirect (we do not use guava directly in Elasticsearch). The following are uses of guava less than 24.1.1:

repository-azure plugin
One of the dependencies of the azure-storage client is azure-keyvault-core, which uses guava. There is an updated version of keyvault core which has a newer version of guava, but the latest version of azure-storage, at least with the api we use, still depends on azure-keyvault-core 1.0.0. There is a newer V11/12 client, but we will need to update our entire use of azure to upgrade, which we already have an issue for (#43309).

repository-hdfs plugin
The latest version of hdfs client uses an updated version of guava. @jbaiera is looking into the compatibility issues if we were to upgrade.

watcher
Watcher uses the owasp-java-html-sanitizer, which uses guava. The newest version of html sanitizer has a recent version of guava.

security
The opensaml dep of security uses guava in the shibboleth utilities. The latest version still uses guava 20.

[davydotcom]

i manually updated most of 7.4.2 to latest guava without issue and built my own version successfully. even if indirect they still show on security scans. Anything we can do to get that to not be a security scan result even if indirect is always best. Thanks for digging!

[jbaiera]

regarding repository-hdfs plugin compatibility:

Everything that I've seen has been centered around HDFS v3.x being backwards compatible with HDFS client v2, but not the other way around. If we were to upgrade the HDFS Client in repository-hdfs we would most likely need to increase the minimum supported HDFS version for the plugin. Hadoop and HDFS v3 has been out for a while now, but some Hadoop users are still bound to the version 2 line, and this would likely constitute a breaking change for that reason.

[davydotcom]

I was able to override and bump guava without bumping hdfs without issue

…

Sent from my iPhone

On Jan 13, 2020, at 9:38 AM, James Baiera ***@***.***> wrote:  regarding repository-hdfs plugin compatibility: Everything that I've seen has been centered around HDFS v3.x being backwards compatible with HDFS client v2, but not the other way around. If we were to upgrade the HDFS Client in repository-hdfs we would most likely need to increase the minimum supported HDFS version for the plugin. Hadoop and HDFS v3 has been out for a while now, but some Hadoop users are still bound to the version 2 line, and this would likely constitute a breaking change for that reason. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[rjernst]

I was able to override and bump guava without bumping hdfs without issue

While it is great that it worked for you, the trickiness of bumping dependencies which were not developed against the newer version is there can be runtime issues that do not come up until a particular feature is used. While we may end up still bumping this as suggested, guava is particularly painful and error prone in this case, or at least was with older versions. Bumping this will need extensive testing.