-
Bug
-
Resolution: Done
-
Medium
-
None
-
Casablanca Release
-
None
TCA has dependency on vulnerable version 2.4.4 of com.fasterxml.jackson.core library.
The version of com.fasterxml.jackson.core is dictated by dependency on CDAP and Spark.
TCA was written for CDAP 4.2.1 that uses Spark 1.6.1/com.fasterxml.jackson.core 2.4.4.
Updating com.fasterxml.jackson.core past 2.4.4 while using CDAP 4.2.1 results in runtime issues as spark jobs will fail due to Jackson JSON version dependency conflicts (NoSuchMethodError).
Also, the latest CDAP (4.3.3) includes version 2.8.8 of com.fasterxml.jackson.core, which is vulnerable as well.
Mitigation plan is to use newer version of TCA that doesn't have such dependency.