DataStax cassandra core drive dependents on vulnerable Guava-19

Question

DataStax cassandra core java drive is having a transitive dependencies on guava-19 (including latest DataStax) which is having a security vulnerable (CVE-2018-10237).

To fix this when I tried excluding guava-19.0 dependencies from DataStax drive and replaced with guava-27.1-jre I got following error on run-time and confirmed same by decompileing the latest guava driver; looks like from guava-20.0 they removed the FutureFallback class and there is no backward compatibility with latest cassandra drive.

java.lang.NoClassDefFoundError: com/google/common/util/concurrent/FutureFallback

Any help or quick fix or alternative is highly appreciable.

Answer 1

The vulnerability relates to Guava classes AtomicDoubleArray and CompoundOrdering; we don't use them in the driver.

We've addressed Guava compatibility issues in JAVA-1328. The driver is compatible with 16.0.1 to latest, there is an internal compatibility layer to address the breaking changes in 19. I've just tried a simple client that overrides the dependency to 27.1-jre, things work as expected.

How were you testing and what was the stack trace of your error?

Answer 2

I exactly have the same issue & fix was to ignore Guava from 3 places, not only from drivers. Below is the sample for your fix. It worked for me & I am using Guava 27 now.

<dependency>
    <groupId>com.datastax.cassandra</groupId>
    <artifactId>cassandra-driver-core</artifactId>
    <version>${datastax.version}</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>com.datastax.cassandra</groupId>
    <artifactId>cassandra-driver-mapping</artifactId>
    <version>${datastax.version}</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>com.datastax.cassandra</groupId>
    <artifactId>cassandra-driver-extras</artifactId>
    <version>${datastax.version}</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Later u can use your own Guava like below:

<dependency>
    <groupId>com.google.guava</groupId>
    <artifactId>guava</artifactId>
    <version>${guava.version}</version>
</dependency>