Fixed CVEs

This release resolves 895 security vulnerabilities (CVEs) identified across ODP platform components, representing a comprehensive security hardening initiative implemented during the upgrade from version 3.3.6.3-1 to 3.3.6.4-1.

Detailed List of CVE Fixes

For detailed information about CVEs addressed in this release, see ODP 3.3.6.4-1 Acceldata Open-Source Data Platform CVE Fixes.

Summary of CVEs by component and severity level

You can see the summary of CVEs addressed by components and severity level.

🛡️ODP CVE Security Fixes

550
Total CVEs Fixed
71
Critical
327
High
135
Medium
17
Low

CVE Fix Descriptions

Airflow

  • OSV-16499, OSV-16505, OSV-16506, OSV-16507, OSV-16509, OSV-16511, OSV-16512, OSV-16514, OSV-16515, OSV-16516, OSV-16517, OSV-16519, OSV-16531 Addressing multiple CVE fixes in WTForms, xmlsec, yarl, zipp, zope - Addressing multiple CVE fixes in WTForms, xmlsec, yarl, zipp, zope

Ambari

  • ODP-6645: Upgraded commons-io.
  • OCR-2427: Upgraded jszip for CVE-2022-48285 fixes.
  • OCR-2427: Upgraded underscore.js for CVE-2026-27601 fixes.
  • OSV-15824: Applied CVE fixes for spring-security-crypto.
  • OSV-15832: Applied CVE fixes for snappy-java.
  • OSV-15756: Applied Spring related CVE fixes.
  • OSV-15854: Applied PostgreSQL related CVE fixes.
  • OSV-15754: Applied Jetty related CVE fixes.
  • OSV-15755: Applied jetty.http2 related CVE fixes.
  • OSV-15879: Applied jettison related CVE fixes.
  • OSV-15765: Applied mina-core related CVE fixes.
  • OSV-15841: Applied commons-compress related CVE fixes.
  • OSV-15888: Applied Avro related CVE fixes.
  • OSV-15705: Applied json-smart related CVE fixes.
  • OSV-15694: Applied Log4j related CVE fixes.
  • OSV-15867: Applied Netty and netty-codec related CVE fixes.
  • OSV-15857 | OSV-15901 | OSV-15758: Applied BeanUtils, Derby, and HSQLDB related CVE fixes.
  • OSV-15701: Applied nimbus-jose-jwt related CVE fixes.
  • OSV-15852: Applied mchange-commons-java related CVE fixes.
  • OSV-15779: Applied com.mchange_c3p0 related CVE fixes.
  • OSV-15837: Applied com.h2database_h2 related CVE fixes.
  • OSV-15826: Applied protobuf-java related CVE fixes.
  • OSV-15682: Applied Guava and related CVE fixes.
  • OSV-15710: Applied Jackson Databind and related CVE fixes.
  • OSV-15685: Applied Jackson and related CVE fixes.
  • OSV-15902: Upgraded com.esotericsoftware.yamlbeans_yamlbeans to version 1.17.

Cruise Control

  • OSV-13090: Bumped Jetty version to 9.4.58.v20250814.

Cruise Control 3

  • OSV-13097: Bumped Netty to 4.1.130.Final.
  • OSV-13096: Bumped Jetty version to 9.4.58.v20250814.
  • ODP-6108: Bumped Log4j2 to 2.25.3 for vulnerability fixes.

Druid

  • Migrated JAXB bind dependency to Jakarta (apache#17370).
  • OSV-12602 | CVE-2024-29131: Bumped commons-configuration2 to 2.10.1.
  • OSV-12603 | CVE-2025-55163: Upgraded grpc_grpc-netty-shaded.
  • OSV-12606 | CVE-2025-55163: Upgraded netty-codec-http2 to 4.1.124.Final in druid-azure-extensions.
  • Updated jose4j and corresponding license files (apache#16078).
  • Bumped Jackson to 2.18.4 and Fabric8 to 7.2.0 (apache#18013).
  • Upgraded Jackson and Google GSON to address CVEs (apache#15461).
  • OSV-12617: Patched Jackson upgrades to address CVE-2022-42004 and CVE-2022-42003.
  • ODP-6342: Bumped Netty version to 4.1.132.Final.
  • FLINK-38193 | CVE-2025-48924: Bumped commons-lang3 to version 3.18.0.
  • OSV-13324 | CVE-2025-68161: Bumped log4jVersion to 2.25.3.

Hadoop

  • Matched bcprov-jdk18on version in hadoop-hdfs-client.pom.
  • Updated bcprov-jdk18on version to 1.78.
  • Upgraded Bouncy Castle libraries to version 1.78.
  • Bumped org.bouncycastle:bcprov-jdk18on in hadoop-project.
  • HADOOP-19024: Updated Bouncy Castle JDK18 to version 1.77.
  • HADOOP-18540: Upgraded Bouncy Castle to 1.70.
  • OSV-13528 | CVE-2025-48924: Upgraded commons-lang3 to 3.18.0.
  • HADOOP-18496: Upgraded okhttp3 and related dependencies to address Kotlin CVEs.
  • HADOOP-19632: Upgraded nimbus-jose-jwt to 10.4.
  • OSV-12789 | HADOOP-19788 | CVE-2025-59419: Upgraded Netty4 version to 4.1.130.
  • OSV-12791 | HADOOP-18991 | CVE-2025-48734: Removed commons-beanutils dependency from Hadoop3.

HBase

  • ODP-6109: Bumped Log4j2 to 2.25.3 for vulnerability fixes.
  • OSV-12618 | OSV-13399: Increased Tomcat version to address CVEs.
  • HBASE-29928: Bumped io.airlift:aircompressor from 0.27 to 2.0.3.
  • HBASE-29740: Upgraded lz4-java to 1.8.1+.

Hive

  • OSV-13183 | HIVE-28417: Bumped Log4j2 to address CVEs.
  • OSV-13852: Bumped Jetty version to address CVEs.
  • OSV-13188: Bumped nimbus-jose to address CVEs.
  • OSV-13379: Increased commons-compress and avatica versions to address CVEs.
  • OSV-12390 | HIVE-28224: Bumped orc-core to address CVEs.
  • OSV-13181: Bumped velocity-core to address CVEs.
  • OSV-13173: Bumped commons-lang3 to address CVEs.
  • OSV-13168: Bumped avatica to address CVEs.
  • OSV-12468: Bumped Netty version to address CVEs.
  • HIVE-28856: Removed jetty-runner dependency.
  • ODP-6114: Bumped Log4j2 to 2.25.3 for vulnerability fixes.

Hue

  • OSV-12381 | OSV-12380 | OSV-12379 | OSV-12378 | OSV-12377: Fixed CVEs and rebuilt the old protobuf files.

Impala

  • OSV-11051: Updated commons-configuration2 to version 2.10.1.
  • OSV-11056: Excluded and added protobuf-java dependency.
  • OSV-11063: Added Netty dependencies to dependency management for kudu-client.

JupyterHub

  • ODP-6226: Updated fonttools to patched version 4.45.1 to address CVE-2025-66034.
  • OSV-12016: Upgraded Jinja2 version to address CVEs.

Kafka 2

  • OSV-16240 | CVE-2025-67030: Upgraded plexus-utils to 4.0.3.

Kafka 3

  • OSV-13097: Bumped Netty to 4.1.132.Final.
  • OSV-12824: Bumped Checkstyle to 12.3.1.
  • OSV-12825: Bumped org.bitbucket.b_c_jose4j to 0.9.6.

Knox

  • OSV-9834 | KNOX-3178: Upgraded dependencies to address CVEs.
  • ODP-6110: Bumped Log4j2 to 2.25.3 for vulnerability fixes.
  • OSV-4624: Upgraded com.nimbusds_nimbus-jose-jwt to 9.37.3 to address CVEs.

Kudu

  • OSV-12533: Matched Ranger lib Guava version with Kudu Java dependencies.
  • OSV-12523: Matched Kudu Ranger lib commons-configuration2 version with ODP Ranger to 2.10.1.
  • OSV-12525 | OSV-12527: Upgraded Netty to 4.1.130.Final to address CVEs.
  • OSV-12523: Updated Guava version to 32.0.1-jre in Kudu Ranger lib.
  • ODP-6112: Bumped Log4j2 to 2.25.3 for vulnerability fixes.

Livy

  • OSV-13357: Increased commons-lang3 version to 3.18.0 to address CVE-2025-48924.
  • OSV-13357: Increased Netty version to 4.1.130.Final to address CVE-2025-67735.

NiFi / NiFi Registry

  • OSV-12598: Bumped io.netty_netty-codec-http2 from 4.1.118.Final to 4.1.124.Final.
  • OSV-12597: Bumped shaded io.grpc_grpc-netty-shaded gRPC to 1.75.0.
  • OSV-12594: Bumped commons-beanutils_commons-beanutils from 1.9.4 to 1.11.0.
  • OSV-12593 | OSV-12592: Bumped com.mchange_c3p0 from 0.9.5.4 to 0.12.0 and mchange-commons-java from 0.2.15 to 0.4.0.
  • OSV-12590: Bumped Jetty from 9.4.56.v20240826 to 9.4.58.v20250814.
  • OSV-12589: Bumped protobuf-java to 3.25.5.
  • OSV-12581: Bumped Jersey from 2.45 to 2.46.

Oozie

  • OSV-13380: Increased Jetty version to 9.4.57.v20241219 to address CVEs.

Ozone

  • OSV-11049: Bumped commons-beanutils to address CVEs.
  • OSV-11016: Bumped commons-lang3 to address CVEs.
  • OSV-11048: Bumped commons-io to address CVEs.
  • OSV-11020: Bumped commons-compress to address CVEs

Phoenix

  • OSV-12933: Bumped Jetty version to address CVEs.
  • ODP-6115: Bumped Log4j2 to 2.25.3 for vulnerability fixes.

Pinot

  • OSV-10752: Excluded Jackson libraries from pinot-orc module that pulled older Jackson versions.
  • OSV-10752: Excluded Protobuf libraries from pinot-parquet module that pulled older Protobuf versions.
  • OSV-10752: Increased Helix version to address CVE-2023-38647.
  • OSV-13469 | OSV-10752: Increased Log4j version to address OSV-10702.
  • OSV-12756 | OSV-10752: Increased aircompressor version to address CVEs.
  • OSV-13467: Increased classgraph version to 4.8.165 to address CVE-2021-47621.

Ranger

  • OSV-12863: Upgraded Tomcat to 9.0.115 to address CVEs.
  • OSV-12847: Upgraded Netty to 4.1.130.Final to address CVEs.
  • OSV-12840: Upgraded commons-configuration2 to 2.10.1 to address CVE-2024-29131.
  • OSV-12841: Dropped unused Elasticsearch JARs from Yarn plugin packaging to address CVEs.
  • OSV-12830: Dropped unused Jetty HTTP component JARs to address CVEs.

Schema Registry

  • OSV-11646: Bumped Nimbus version to 10.0.1.
  • OSV-11653: Bumped org.bitbucket.b_c_jose4j to 0.9.6.
  • OSV-11749: Removed org.elasticsearch_elasticsearch from dependency tree.
  • OSV-11756: Bumped dnsjava to 3.6.0.
  • OSV-11730: Bumped Jetty version.
  • OSV-11664: Removed unused Zookeeper dependencies.
  • OSV-11658: Bumped jdom2 version.
  • OSV-11642: Bumped jackson-databind to 2.15.0.
  • OSV-11742: Removed Jackson 1 dependencies.
  • OSV-11632: Bumped commons_text.
  • OSV-11757: Bumped snakeyaml to 2.0.
  • OSV-7607: Bumped Logback to 1.2.13 to address CVEs.
  • OSV-7681: Bumped Avro to 1.11.4 to address CVEs.
  • OSV-5583: Bumped Jackson to 2.16.1 to address CVEs.

Spark 3

  • OCR-2334: Increased aws.java.sdk version to 1.12.791 to address CVE-2025-58057.
  • OSV-13646: Increased Vert.x version to 4.5.24.
  • ODP-6111: Bumped Log4j2 to 2.25.3 for vulnerability fixes.
  • OSV-13653: Increased Log4j version to 2.24.3.
  • OSV-12917 | SPARK-52434: Upgraded gcs-connector to 2.2.28.
  • OSV-13653: Increased Netty version to 4.1.130.Final to address CVE-2025-58057.
  • OSV-11402: Increased commons-lang3 version to 3.18.0.
  • OSV-12929: Updated lz4-java version to 1.10.4.
  • OSV-12929 | SPARK-55803: Bumped lz4-java to 1.10.4 to restore performance improvements.
  • OSV-12912 | OSV-12333: Increased Hudi version to address CVE-2020-36183.

Sqoop

  • OSV-13375: Increased snakeyaml version to 1.33 to address CVE-2022-38750.
  • OSV-13431: Increased aws-java-sdk version to 1.12.797 to address CVE-2025-58057.
  • OSV-12763: Upgraded io.airlift:aircompressor to 2.0.3 to address CVE-2025-67721.
  • OSV-12761: Added jetty-server in resolutionStrategy with a non-vulnerable version to address CVE-2024-13009.
  • OSV-12760: Upgraded jackson-core from 2.14.3 to 2.15.0 and Jetty from 9.4.45 to 9.4.57 to address CVE-2025-52999.

Trino

  • ODP-6128: Updated tcnative version to 2.0.75.Final.
  • ODP-6128: Bumped commons-text version to 1.13.1.
  • ODP-6128: Bumped commons-lang3 to 3.18.0 and Elasticsearch to 7.17.29.
  • ODP-6128: Bumped commons-text to 1.13.1 in trino-ranger

Zookeeper

  • OSV-13144: Bumped logback-core to 1.3.16 to address CVEs.
  • ODP-6200 | GHSA-72hv-8253-57qq: Upgraded Jackson to 2.18.6.
  • ODP-6583 | ZOOKEEPER-5017: Bumped Netty to 4.1.132.Final.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
  Last updated on May 15, 2026
Next to read:
Apache Release Notes
null
On This Page
Fixed CVEs 🛡️ODP CVE Security Fixes Detailed List of CVE FixesSummary of CVEs by component and severity levelAirflowAmbariCruise ControlCruise Control 3DruidFlinkHadoopHBaseHiveHueImpalaJupyterHubKafka 2Kafka 3KnoxKuduLivyNiFi / NiFi RegistryOozieOzonePhoenixPinotRangerSchema RegistrySpark 3SqoopTrinoZookeeper