Fixed CVEs

This release resolves 895 security vulnerabilities (CVEs) identified across ODP platform components, representing a comprehensive security hardening initiative implemented during the upgrade from version 3.2.3.5-3 to 3.2.3.6-3.

Detailed List of CVEs Addressed

For detailed information about CVEs addressed in this release, see ODP 3.2.3.6-3 Acceldata Open-Source Data Platform CVE Fixes.

Summary of CVEs by component and severity level

You can see the summary of CVEs addressed by components and severity level.

CVE Fix Descriptions

Ambari

• OSV-16011: Removed Apache Hadoop and retained only ODP Hadoop (#490)
• OSV-15922: Upgraded Solr to 8.11.2.2 (for Jetty) (#491)
• OSV-16054: Addressed CVE-2024-29131 by upgrading commons-configuration2 from 2.8.0 to 2.14.0 (#498)
• OSV-16008: Addressed CVE-2026-27830 by upgrading c3p0 from 0.9.5.4 to 0.12.0 (#500)
• OSV-16057: Removed jose4j (#499)
• OSV-15904: Upgraded Ambari Infra Solr to version 8 and aligned with Ambari 2.8 stack (partial) (#501)
• OSV-16084: Addressed CVE-2023-2976 by removing guice-4.0-beta (#497)
• OSV-16055: Addressed CVE-2020-13936 by migrating away from org.apache.velocity (#496)
• OSV-16027: Removed Apache ZooKeeper (#493)
• OSV-16061: Addressed CVE-2022-42889 by excluding commons-text from Solr (#494)
• OSV-15927: Regenerated fast-hdfs-resource 3.2.3.3.2.3.6-2 (#495)

Hadoop

• OSV-10916: Addressed CVE-2024-47561 by upgrading the Hadoop third-party to 1.4.0
• OSV-10934: Addressed CVE-2024-29131 (HADOOP-19123, HADOOP-19532) by upgrading commons-lang3 and commons-configuration2 (#121)
• OSV-10905: Addressed CVE-2025-59419 (HADOOP-19788) by upgrading Netty4 to 4.1.130.Final (#122)
• OSV-3108: Addressed CVE-2025-48734 (HADOOP-18991) by removing commons-beanutils dependency (#123)
• OSV-9565: Upgraded aws-java-sdk to 1.12.797 to address CVE
• HADOOP-19114 / OSV-9569: Upgraded commons-compress to 1.26.1 to address CVEs (#6636)
• OSV-9634: Upgraded nimbus-jose-jwt to address CVE
• OSV-9619 / OSV-9572: Upgraded commons-net and commons-lang to address CVEs
• OSV-10843: Upgraded commons-io to 2.16.1 and fixed deprecated API usage to address CVE-2024-47554 (#145)

Airflow

• ODP-6015 / OCR-2365 / OCR-2388: Fixed CVEs and added build scripts for UBI9 and from-source for 3.2.3.6-2
• OCR-2365 / OCR-2388: Disabled use of LogTemplate table by default (#61880)

Cruise Control 2

• ODP-6342: Upgraded Netty to version 4.1.132.Final

Cruise Control 3

• ODP-6342: Upgraded Netty to version 4.1.132.Final

DRUID

• OSV-10182: Upgraded docker-java-bom and Kubernetes client-java to bump bcprov and address CVE (#59)
• OSV-10193: Upgraded commons-lang3 to address CVE (#60)
• OSV-10179: Upgraded netty4 to address CVE (#61)
• OSV-10189: Upgraded commons-compress to address CVE (#62)
• OSV-10180: Upgraded commons-beanutils to address CVE (#64, #65)
• OSV-10181: Upgraded commons-io to address CVE (#63)
• OSV-10078: Upgraded Avro to address CVE (#66)
• OSV-10093: Upgraded Jackson to address CVE (#67)
• OSV-10159: Upgraded jose4j to address CVE (#68)
• OSV-10107: Upgraded log4j to address CVE (#69)

Flink

• OSV-13324: Addressed CVE-2025-68161 by upgrading log4j to version 2.25.3
• FLINK-38193: Addressed CVE-2025-48924 by upgrading commons-lang3 to version 3.18.0

HBase

• OSV-10265 / HBASE-29293: Addressed CVE-2025-52999 by upgrading OpenTelemetry (#22)
• HBASE-28250: Upgraded JRuby to 9.4.8.0 to address SnakeYAML CVE (#23)
• HBASE-29740: Upgraded lz4-java to 1.8.1+ (#24)
• HBASE-28379: Upgraded third-party dependencies to version 4.1.6
• HBASE-28511: Updated hbase-thirdparty to version 4.1.7
• HBASE-28793: Updated hbase-thirdparty to version 4.1.8
• HBASE-28879: Upgraded hbase-thirdparty to version 4.1.9
• HBASE-29086: Upgraded hbase-thirdparty to version 4.1.10
• HBASE-29200: Upgraded Netty4 to version 4.1.119.Final in main repository

HBase Connectors

• OSV-12156: Upgraded Curator to version 5.6.0 (#14)

Hive

• OSV-9755 / OSV-9725: Upgraded Avro to 1.11.5 to address CVE (#117)
• OSV-9700: Upgraded bcprov-jdk18on to address CVE (#119)
• OSV-9753: Upgraded commons-beanutils to address CVE (#121)
• OSV-9708: Upgraded commons-compress to address CVE (#122)
• OSV-9728: Upgraded commons-lang3 to address CVE
• OSV-9648: Upgraded Netty to address CVE (#124)
• OSV-9747: Upgraded cron-utils to address CVE (#125)
• OSV-9707: Upgraded nimbus-jose-jwt to address CVE (#126)
• OSV-9723: Upgraded xmlsec to address CVE (#127)
• OSV-9724 / HIVE-28417: Upgraded log4j2 to address CVE (#128)
• OSV-10181: Upgraded commons-io to address CVE (#130)
• HIVE-28625: Upgraded Apache Parquet to version 1.14.4 (partially backported)

Impala

• ODP-6342: Upgraded Netty to version 4.1.132.Final
• OSV-11025: Upgraded log4j2 to version 2.25.3 to address CVE
• OSV-11004: Migrated from javax.el to jakarta.el 3.0.4 to address CVE
• OSV-10952: Upgraded aircompressor to version 2.0.3 to address CVE
• OSV-10951: Upgraded jdom2 to version 2.0.6.1 to address CVE
• OSV-11036: Upgraded dnsjava to version 3.6.0 to address CVE
• OSV-11037: Upgraded commons-lang3 to version 3.18.0 to address CVE
• OSV-11051: Added commons-configuration2 version override in dependency management
• OSV-11063: Added Netty dependencies to dependency management for kudu-client
• OSV-11021: Added protobuf-java 3.25.5 and excluded vulnerable versions for kudu-client
• OSV-11056: Added protobuf-java 3.25.5 to dependency management and excluded vulnerable 2.5.0 from HBase dependencies
• OSV-11013: Excluded Jackson from Iceberg to address CVE
• OSV-11046: Upgraded Jackson to version 2.16.1 to address CVE

JupyterHub

• ODP-6226: Upgraded fonttools to version 4.45.1 to address CVE-2025-66034
• OSV-11994 / 12009 / 12016: Addressed CVEs in fonttools, Jinja, and requests
• OSV-12010: Upgraded Protobuf to address high-severity CVE
• OSV-11999 / 11998 / 11997 / 11996 / 11995: Upgraded urllib3 to address CVEs
• OSV-12017 / 12018: Addressed CVEs in setuptools and wheel

Kafka Connect 2

• OSV-10326: Upgraded Avro to version 1.11.5 to address CVE-2024-47561 (#4)
• OSV-10328: Upgraded Jackson to version 2.16.1 to address PRISMA-2023-0067

Kafka Connect 3

• OSV-10326: Upgraded Avro to version 1.11.5 to address CVE-2024-47561 (#4)
• OSV-10328: Upgraded Jackson to version 2.16.1 to address PRISMA-2023-0067

Pinot

• ODP-6342: Upgraded Netty to version 4.1.132.Final
• OSV-10752: Addressed multiple CVEs by upgrading Avro, aircompressor, Netty, commons-beanutils, Jersey, and log4j
• OSV-10752: Excluded vulnerable okio from pinot-parquet module
• OSV-10752: Excluded outdated protobuf libraries from pinot-parquet module
• OSV-10752: Excluded outdated Jackson libraries from pinot-orc module

Spark 3

• ODP-6342: Upgraded Netty to version 4.1.132.Final
• OSV-11406: Addressed CVE-2019-10202
• OSV-11416: Upgraded log4j to version 2.25.3 to address CVE

Sqoop

• OSV-10778: Upgraded Avro to address CVE

Tez

• OSV-9636: Addressed CVE by upgrading Netty4 to 4.1.130
• TEZ-4353 / OSV-9632: Upgraded commons-io to 2.8.0 (#165)

Kafka 3

• OSV-11068 / OSV-11067 / OSV-11076 / OSV-11084 / OSV-11081: Addressed multiple CVEs (#27)

Knox

• OSV-9821 / KNOX-3078: Upgraded protobuf to version 3.25.5 (#57)
• OSV-9834 / KNOX-3178: Upgraded dependencies to address CVEs (#56)

Kudu

• ODP-6342: Upgraded Netty to version 4.1.132.Final
• OSV-9893: Enforced usage of Acceldata ZooKeeper version
• OSV-9892: Upgraded Guava to address CVE-2023-2976
• OSV-14275 / 14276 / 8764 / 14269 / 14221 / 14219 / 14211 / 14209: Addressed multiple Kudu CVEs by upgrading Netty, Guava, commons-configuration2, mssql-jdbc, and aircompressor; and pinning snakeyaml, ZooKeeper, protobuf, dnsjava, and io.airlift:aircompressor versions

Ozone

• OSV-10667: Upgraded commons-fileupload to 1.6 to address CVE-2025-48976
• OSV-10696: Downgraded Netty to 4.1.111.Final for gRPC and Ratis compatibility
• OSV-11049: Upgraded nimbus-jose-jwt to 9.37.4 to address CVE
• OSV-11049: Upgraded Guava to 32.0.1-jre to address CVE
• OSV-11049: Upgraded commons-io to 2.16.1 to address CVE
• OSV-11049: Upgraded commons-lang3 to 3.18.0 to address CVE
• OSV-11049: Upgraded commons-compress to 1.26.1 to address CVE
• OSV-10678: Upgraded commons-beanutils to 1.11.0 to address CVE

Phoenix

• ODP-6342: Upgraded Netty to version 4.1.132.Final
• OSV-11609 / OSV-11602: Addressed CVE-2025-48924 and CVE-2025-68161 by upgrading commons-lang and log4j2
• PHOENIX-7699: Upgraded Jetty to version 9.4.58.v20250814

Registry

• OSV-11646: Upgraded Nimbus to version 10.0.1
• OSV-11653: Upgraded jose4j to version 0.9.6
• OSV-11746: Upgraded commons-beanutils to version 1.11.0
• OSV-11749: Removed Elasticsearch dependency
• OSV-11756: Upgraded dnsjava to version 3.6.0
• OSV-11730: Upgraded Jetty version
• OSV-11664: Removed unused ZooKeeper dependency
• OSV-11658: Upgraded jdom2 version
• OSV-11642: Upgraded jackson-databind to version 2.15.0
• OSV-11742: Removed Jackson 1 dependencies
• OSV-11632: Upgraded commons-text
• OSV-11757: Upgraded SnakeYAML to version 2.0

Livy

• OSV-10425 / OSV-10359 / ODP-6342: Upgraded Netty to version 4.1.132.Final to address CVEs
• OSV-10359: Explicitly included commons-lang3 to address CVE-2025-48924
• OSV-10485: Upgraded commons-lang3 to version 3.18.0 to address CVE

Ranger

• OSV-11137 / ODP-6332: Removed unused Jetty HTTP component jars and upgraded Netty to 4.1.132
• OSV-11108 / OSV-11268: Addressed CVEs by upgrading Elasticsearch and Netty to 4.1.130.Final
• OSV-11027: Upgraded Elasticsearch to 7.17.29 to address CVE
• OSV-11259: Upgraded commons-configuration2 to 2.10.1 to address CVE-2024-29131
• OSV-11256 / OSV-11257: Upgraded Tomcat to version 9.0.115

Zeppelin

• OSV-13027: Updated quartz scheduler to version 2.4.1 (#32)
• OSV-13022: Upgraded commons-vfs2 to version 2.10.0 (#31)
• OSV-12964: Upgraded aliyun-sdk-oss to version 3.18.5 (#30)
• OSV-12963: Upgraded jinjava to version 2.7.6 (#29)