Title
Create new category
Edit page index title
Edit category
Edit link
Fixed CVEs
This release resolves 895 security vulnerabilities (CVEs) identified across ODP platform components, representing a comprehensive security hardening initiative implemented during the upgrade from version 3.3.6.3-1 to 3.3.6.4-1.
Detailed List of CVE Fixes
For detailed information about CVEs addressed in this release, see ODP 3.3.6.4-1 Acceldata Open-Source Data Platform CVE Fixes.
Summary of CVEs by component and severity level
You can see the summary of CVEs addressed by components and severity level.
🛡️ODP CVE Security Fixes
CVE Fix Descriptions
Airflow
OSV-16499, OSV-16505, OSV-16506, OSV-16507, OSV-16509, OSV-16511, OSV-16512, OSV-16514, OSV-16515, OSV-16516, OSV-16517, OSV-16519, OSV-16531 Addressing multiple CVE fixes in WTForms, xmlsec, yarl, zipp, zope - Addressing multiple CVE fixes in WTForms, xmlsec, yarl, zipp, zope
Ambari
ODP-6645: Upgraded
commons-io.OCR-2427: Upgraded
jszipfor CVE-2022-48285 fixes.OCR-2427: Upgraded
underscore.jsfor CVE-2026-27601 fixes.OSV-15824: Applied CVE fixes for
spring-security-crypto.OSV-15832: Applied CVE fixes for
snappy-java.OSV-15756: Applied Spring related CVE fixes.
OSV-15854: Applied PostgreSQL related CVE fixes.
OSV-15754: Applied Jetty related CVE fixes.
OSV-15755: Applied
jetty.http2related CVE fixes.OSV-15879: Applied
jettisonrelated CVE fixes.OSV-15765: Applied
mina-corerelated CVE fixes.OSV-15841: Applied
commons-compressrelated CVE fixes.OSV-15888: Applied Avro related CVE fixes.
OSV-15705: Applied
json-smartrelated CVE fixes.OSV-15694: Applied Log4j related CVE fixes.
OSV-15867: Applied Netty and
netty-codecrelated CVE fixes.OSV-15857 | OSV-15901 | OSV-15758: Applied BeanUtils, Derby, and HSQLDB related CVE fixes.
OSV-15701: Applied
nimbus-jose-jwtrelated CVE fixes.OSV-15852: Applied
mchange-commons-javarelated CVE fixes.OSV-15779: Applied
com.mchange_c3p0related CVE fixes.OSV-15837: Applied
com.h2database_h2related CVE fixes.OSV-15826: Applied
protobuf-javarelated CVE fixes.OSV-15682: Applied Guava and related CVE fixes.
OSV-15710: Applied Jackson Databind and related CVE fixes.
OSV-15685: Applied Jackson and related CVE fixes.
OSV-15902: Upgraded
com.esotericsoftware.yamlbeans_yamlbeansto version 1.17.
Cruise Control
OSV-13090: Bumped Jetty version to
9.4.58.v20250814.
Cruise Control 3
OSV-13097: Bumped Netty to
4.1.130.Final.OSV-13096: Bumped Jetty version to
9.4.58.v20250814.ODP-6108: Bumped Log4j2 to
2.25.3for vulnerability fixes.
Druid
Migrated JAXB bind dependency to Jakarta (
apache#17370).OSV-12602 | CVE-2024-29131: Bumped
commons-configuration2to2.10.1.OSV-12603 | CVE-2025-55163: Upgraded
grpc_grpc-netty-shaded.OSV-12606 | CVE-2025-55163: Upgraded
netty-codec-http2to4.1.124.Finalindruid-azure-extensions.Updated
jose4jand corresponding license files (apache#16078).Bumped Jackson to
2.18.4and Fabric8 to7.2.0(apache#18013).Upgraded Jackson and Google GSON to address CVEs (
apache#15461).OSV-12617: Patched Jackson upgrades to address
CVE-2022-42004andCVE-2022-42003.
Flink
ODP-6342: Bumped Netty version to
4.1.132.Final.FLINK-38193 | CVE-2025-48924: Bumped
commons-lang3to version3.18.0.OSV-13324 | CVE-2025-68161: Bumped
log4jVersionto2.25.3.
Hadoop
Matched
bcprov-jdk18onversion inhadoop-hdfs-client.pom.Updated
bcprov-jdk18onversion to1.78.Upgraded Bouncy Castle libraries to version
1.78.Bumped
org.bouncycastle:bcprov-jdk18oninhadoop-project.HADOOP-19024: Updated Bouncy Castle JDK18 to version
1.77.HADOOP-18540: Upgraded Bouncy Castle to
1.70.OSV-13528 | CVE-2025-48924: Upgraded
commons-lang3to3.18.0.HADOOP-18496: Upgraded
okhttp3and related dependencies to address Kotlin CVEs.HADOOP-19632: Upgraded
nimbus-jose-jwtto10.4.OSV-12789 | HADOOP-19788 | CVE-2025-59419: Upgraded Netty4 version to
4.1.130.OSV-12791 | HADOOP-18991 | CVE-2025-48734: Removed
commons-beanutilsdependency from Hadoop3.
HBase
ODP-6109: Bumped Log4j2 to
2.25.3for vulnerability fixes.OSV-12618 | OSV-13399: Increased Tomcat version to address CVEs.
HBASE-29928: Bumped
io.airlift:aircompressorfrom0.27to2.0.3.HBASE-29740: Upgraded
lz4-javato1.8.1+.
Hive
OSV-13183 | HIVE-28417: Bumped Log4j2 to address CVEs.
OSV-13852: Bumped Jetty version to address CVEs.
OSV-13188: Bumped
nimbus-joseto address CVEs.OSV-13379: Increased
commons-compressandavaticaversions to address CVEs.OSV-12390 | HIVE-28224: Bumped
orc-coreto address CVEs.OSV-13181: Bumped
velocity-coreto address CVEs.OSV-13173: Bumped
commons-lang3to address CVEs.OSV-13168: Bumped
avaticato address CVEs.OSV-12468: Bumped Netty version to address CVEs.
HIVE-28856: Removed
jetty-runnerdependency.ODP-6114: Bumped Log4j2 to
2.25.3for vulnerability fixes.
Hue
OSV-12381 | OSV-12380 | OSV-12379 | OSV-12378 | OSV-12377: Fixed CVEs and rebuilt the old protobuf files.
Impala
OSV-11051: Updated
commons-configuration2to version2.10.1.OSV-11056: Excluded and added
protobuf-javadependency.OSV-11063: Added Netty dependencies to dependency management for
kudu-client.
JupyterHub
ODP-6226: Updated
fonttoolsto patched version4.45.1to addressCVE-2025-66034.OSV-12016: Upgraded Jinja2 version to address CVEs.
Kafka 2
OSV-16240 | CVE-2025-67030: Upgraded
plexus-utilsto4.0.3.
Kafka 3
OSV-13097: Bumped Netty to
4.1.132.Final.OSV-12824: Bumped Checkstyle to
12.3.1.OSV-12825: Bumped
org.bitbucket.b_c_jose4jto0.9.6.
Knox
OSV-9834 | KNOX-3178: Upgraded dependencies to address CVEs.
ODP-6110: Bumped Log4j2 to
2.25.3for vulnerability fixes.OSV-4624: Upgraded
com.nimbusds_nimbus-jose-jwtto9.37.3to address CVEs.
Kudu
OSV-12533: Matched Ranger lib Guava version with Kudu Java dependencies.
OSV-12523: Matched Kudu Ranger lib
commons-configuration2version with ODP Ranger to2.10.1.OSV-12525 | OSV-12527: Upgraded Netty to
4.1.130.Finalto address CVEs.OSV-12523: Updated Guava version to
32.0.1-jrein Kudu Ranger lib.ODP-6112: Bumped Log4j2 to
2.25.3for vulnerability fixes.
Livy
OSV-13357: Increased
commons-lang3version to3.18.0to addressCVE-2025-48924.OSV-13357: Increased Netty version to
4.1.130.Finalto addressCVE-2025-67735.
NiFi / NiFi Registry
OSV-12598: Bumped
io.netty_netty-codec-http2from4.1.118.Finalto4.1.124.Final.OSV-12597: Bumped shaded
io.grpc_grpc-netty-shadedgRPC to1.75.0.OSV-12594: Bumped
commons-beanutils_commons-beanutilsfrom1.9.4to1.11.0.OSV-12593 | OSV-12592: Bumped
com.mchange_c3p0from0.9.5.4to0.12.0andmchange-commons-javafrom0.2.15to0.4.0.OSV-12590: Bumped Jetty from
9.4.56.v20240826to9.4.58.v20250814.OSV-12589: Bumped
protobuf-javato3.25.5.OSV-12581: Bumped Jersey from
2.45to2.46.
Oozie
OSV-13380: Increased Jetty version to
9.4.57.v20241219to address CVEs.
Ozone
OSV-11049: Bumped
commons-beanutilsto address CVEs.OSV-11016: Bumped
commons-lang3to address CVEs.OSV-11048: Bumped
commons-ioto address CVEs.OSV-11020: Bumped
commons-compressto address CVEs
Phoenix
OSV-12933: Bumped Jetty version to address CVEs.
ODP-6115: Bumped Log4j2 to
2.25.3for vulnerability fixes.
Pinot
OSV-10752: Excluded Jackson libraries from
pinot-orcmodule that pulled older Jackson versions.OSV-10752: Excluded Protobuf libraries from
pinot-parquetmodule that pulled older Protobuf versions.OSV-10752: Increased Helix version to address
CVE-2023-38647.OSV-13469 | OSV-10752: Increased Log4j version to address
OSV-10702.OSV-12756 | OSV-10752: Increased
aircompressorversion to address CVEs.OSV-13467: Increased
classgraphversion to4.8.165to addressCVE-2021-47621.
Ranger
OSV-12863: Upgraded Tomcat to
9.0.115to address CVEs.OSV-12847: Upgraded Netty to
4.1.130.Finalto address CVEs.OSV-12840: Upgraded
commons-configuration2to2.10.1to addressCVE-2024-29131.OSV-12841: Dropped unused Elasticsearch JARs from Yarn plugin packaging to address CVEs.
OSV-12830: Dropped unused Jetty HTTP component JARs to address CVEs.
Schema Registry
OSV-11646: Bumped Nimbus version to
10.0.1.OSV-11653: Bumped
org.bitbucket.b_c_jose4jto0.9.6.OSV-11749: Removed
org.elasticsearch_elasticsearchfrom dependency tree.OSV-11756: Bumped
dnsjavato3.6.0.OSV-11730: Bumped Jetty version.
OSV-11664: Removed unused Zookeeper dependencies.
OSV-11658: Bumped
jdom2version.OSV-11642: Bumped
jackson-databindto2.15.0.OSV-11742: Removed Jackson 1 dependencies.
OSV-11632: Bumped
commons_text.OSV-11757: Bumped
snakeyamlto2.0.OSV-7607: Bumped Logback to
1.2.13to address CVEs.OSV-7681: Bumped Avro to
1.11.4to address CVEs.OSV-5583: Bumped Jackson to
2.16.1to address CVEs.
Spark 3
OCR-2334: Increased
aws.java.sdkversion to1.12.791to addressCVE-2025-58057.OSV-13646: Increased Vert.x version to
4.5.24.ODP-6111: Bumped Log4j2 to
2.25.3for vulnerability fixes.OSV-13653: Increased Log4j version to
2.24.3.OSV-12917 | SPARK-52434: Upgraded
gcs-connectorto2.2.28.OSV-13653: Increased Netty version to
4.1.130.Finalto addressCVE-2025-58057.OSV-11402: Increased
commons-lang3version to3.18.0.OSV-12929: Updated
lz4-javaversion to1.10.4.OSV-12929 | SPARK-55803: Bumped
lz4-javato1.10.4to restore performance improvements.OSV-12912 | OSV-12333: Increased Hudi version to address
CVE-2020-36183.
Sqoop
OSV-13375: Increased
snakeyamlversion to1.33to addressCVE-2022-38750.OSV-13431: Increased
aws-java-sdkversion to1.12.797to addressCVE-2025-58057.OSV-12763: Upgraded
io.airlift:aircompressorto2.0.3to addressCVE-2025-67721.OSV-12761: Added
jetty-serverinresolutionStrategywith a non-vulnerable version to addressCVE-2024-13009.OSV-12760: Upgraded
jackson-corefrom2.14.3to2.15.0and Jetty from9.4.45to9.4.57to addressCVE-2025-52999.
Trino
ODP-6128: Updated
tcnativeversion to2.0.75.Final.ODP-6128: Bumped
commons-textversion to1.13.1.ODP-6128: Bumped
commons-lang3to3.18.0and Elasticsearch to7.17.29.ODP-6128: Bumped
commons-textto1.13.1intrino-ranger
Zookeeper
OSV-13144: Bumped
logback-coreto1.3.16to address CVEs.ODP-6200 | GHSA-72hv-8253-57qq: Upgraded Jackson to
2.18.6.ODP-6583 | ZOOKEEPER-5017: Bumped Netty to
4.1.132.Final.