DataStax cassandra core drive dependents on vulnerable Guava-19

Asked 14/3, 2019 at 6:2 Answered 15/3, 2019 at 8:18

Solved security cassandra datastax datastax-enterprise datastax-java-driver

DataStax cassandra core java drive is having a transitive dependencies on guava-19 (including latest DataStax) which is having a security vulnerable (CVE-2018-10237).

To fix this when I tried excluding guava-19.0 dependencies from DataStax drive and replaced with guava-27.1-jre I got following error on run-time and confirmed same by decompileing the latest guava driver; looks like from guava-20.0 they removed the FutureFallback class and there is no backward compatibility with latest cassandra drive.

java.lang.NoClassDefFoundError: com/google/common/util/concurrent/FutureFallback

Any help or quick fix or alternative is highly appreciable.

Shofar answered 14/3, 2019 at 6:2 Comment(3)

What do you mean by 0-day? Theoretically, Java driver shouldn't be affected by this CVE. – Adjacent 14/3, 2019 at 11:37

Got it, corrected! Thanks. But do we have any update available or timeline and how do you say "shouldn't be affected" ? – Shofar 14/3, 2019 at 12:4

I’ve asked dev team to provide comment – Adjacent 14/3, 2019 at 12:14

The vulnerability relates to Guava classes AtomicDoubleArray and CompoundOrdering; we don't use them in the driver.

We've addressed Guava compatibility issues in JAVA-1328. The driver is compatible with 16.0.1 to latest, there is an internal compatibility layer to address the breaking changes in 19. I've just tried a simple client that overrides the dependency to 27.1-jre, things work as expected.

How were you testing and what was the stack trace of your error?

Royden answered 14/3, 2019 at 14:4 Comment(0)

I exactly have the same issue & fix was to ignore Guava from 3 places, not only from drivers. Below is the sample for your fix. It worked for me & I am using Guava 27 now.

<dependency>
    <groupId>com.datastax.cassandra</groupId>
    <artifactId>cassandra-driver-core</artifactId>
    <version>${datastax.version}</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>com.datastax.cassandra</groupId>
    <artifactId>cassandra-driver-mapping</artifactId>
    <version>${datastax.version}</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>com.datastax.cassandra</groupId>
    <artifactId>cassandra-driver-extras</artifactId>
    <version>${datastax.version}</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Later u can use your own Guava like below:

<dependency>
    <groupId>com.google.guava</groupId>
    <artifactId>guava</artifactId>
    <version>${guava.version}</version>
</dependency>

Larvicide answered 15/3, 2019 at 8:18 Comment(1)

What is your cassandra-driver-core version? – Supertax 10/11, 2020 at 16:16

Recommended topics

Hot tags