Headline
CVE-2022-23848: Alluxio 2.7.3 Release | Alluxio
In Alluxio before 2.7.3, the logserver does not validate the input stream. NOTE: this is not the same as the CVE-2021-44228 Log4j vulnerability.
We are excited to announce the release of Alluxio 2.7.3! This is an edge release for Alluxio open source on top of Alluxio 2.7.2, with a variety of bug fixes, documentation, and improvements.
HIGHLIGHTS
Addressed some memory leaks & crashes involving RocksDB
Areas of the codebase utilizing classes from the RocksDB library were updated to properly handle memory management (918e739).
Updated package dependencies to address security vulnerabilities
- Update hadoop dependencies (af1e33e)
- Bump gson version (dd017dc)
- Update protobuf version (176152c)(1e234dd)
- Update kubernetes packages (7d2f142)
- Update jersey version (2f3dffe)
- Update guava to fix some CVEs (fcb0b4c)
- Upgrade log4j to 2.17.1 (a25b0ca)
- Address CVE-2022-23848 (44d591b)(221f0ed)
IMPROVEMENTS
- Add worker startup timeout property key (067e9d4)
- Add stacks page in worker web UI (fa54b1b)
- Support statfs for jnifuse (d3e231a)
- Support web server/metrics sink in standby masters (a10823a)
- Support Alluxio allowed Fuse truncates (4c8b555)
- Add LoadTableCommand (f645405)
- Support build ozone 1.2.1, remove shaded-ozone module (8993e46)
- Make the checkConsistency command check more cases (20a7f4e)
- Make recursive options consistent in the filesystem shell (99e76a8)
BUG FIXES
- Fix the bug which load metadata failed when the path is special (ea1cdc5)
- Fix Hub + k8s issues due to bad formatting and missing log4j.properties (f49dc8b)
- Fix metrics Worker.ActiveClients counter error (85ac996)
- Fix argument in alluxio-fuse unmount when argument has trailing slash (85ac996)
- Fix wrong method call to get username and wrong parameter assignment (afe74e0)
- Fix the concurrent read/write in Fuse.open(READ_WRITE) (bb37aa8)
- Fix journal dumper not work (3cb47b4)
- Fix a NPE error when running test (7f164c8)
- Fix incorrect calc of cacheHitRatio (80cbd8d)
ACKNOWLEDGEMENTS
We want to thank the community for their valuable contributions to the Alluxio 2.7.3 release. Especially, we would like to thank:
Baolong Mao, Haoning Sun, Kevin Cai, ljl1988com, qian0817, striverpan, Xi Chen, Yaolong Liu
Enjoy the new release and look forward to hearing your feedback on our community slack channel.