Merge pull request apache#74 from mapr/HBASE-201_4

HBASE-201 CVE-2016-6796: Tomcat / Jasper library vulnerability

hbase-client/pom.xml

@@ -332,12 +332,16 @@
               <artifactId>servlet-api</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-compiler</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-catalina</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-runtime</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-jasper</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.apache.tomcat.embed</groupId>
+              <artifactId>tomcat-embed-jasper</artifactId>
             </exclusion>
             <exclusion>
               <groupId>org.codehaus.jackson</groupId>

hbase-common/pom.xml

@@ -467,12 +467,16 @@
               <artifactId>servlet-api</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-compiler</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-catalina</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-runtime</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-jasper</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.apache.tomcat.embed</groupId>
+              <artifactId>tomcat-embed-jasper</artifactId>
             </exclusion>
             <exclusion>
               <groupId>org.codehaus.jackson</groupId>

hbase-prefix-tree/pom.xml

@@ -243,12 +243,16 @@
               <artifactId>servlet-api</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-compiler</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-catalina</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-runtime</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-jasper</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.apache.tomcat.embed</groupId>
+              <artifactId>tomcat-embed-jasper</artifactId>
             </exclusion>
             <exclusion>
               <groupId>org.codehaus.jackson</groupId>

hbase-procedure/pom.xml

@@ -202,12 +202,16 @@
               <artifactId>servlet-api</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-compiler</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-catalina</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-runtime</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-jasper</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.apache.tomcat.embed</groupId>
+              <artifactId>tomcat-embed-jasper</artifactId>
             </exclusion>
             <exclusion>
               <groupId>org.codehaus.jackson</groupId>

hbase-resource-bundle/src/main/resources/supplemental-models.xml

@@ -1628,34 +1628,6 @@ under the License.
       </licenses>
     </project>
   </supplement>
-  <supplement>
-    <project>
-      <groupId>tomcat</groupId>
-      <artifactId>jasper-compiler</artifactId>
-
-      <licenses>
-        <license>
-          <name>Apache License, Version 2.0</name>
-          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
-          <distribution>repo</distribution>
-        </license>
-      </licenses>
-    </project>
-  </supplement>
-  <supplement>
-    <project>
-      <groupId>tomcat</groupId>
-      <artifactId>jasper-runtime</artifactId>
-
-      <licenses>
-        <license>
-          <name>Apache License, Version 2.0</name>
-          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
-          <distribution>repo</distribution>
-        </license>
-      </licenses>
-    </project>
-  </supplement>
   <supplement>
     <project>
       <groupId>xml-apis</groupId>

hbase-rest/pom.xml

@@ -87,6 +87,8 @@
                           location="${basedir}/src/main/resources/hbase-webapps"/>
                 <property name="generated.sources"
                           location="${project.build.directory}/generated-sources"/>
+                <delete dir="${build.webapps}" includeemptydirs="true"/>
+                <delete dir="${generated.sources}" includeemptydirs="true"/>
                 <mkdir dir="${build.webapps}"/>
                 <copy todir="${build.webapps}">
                   <fileset dir="${src.webapps}">

hbase-rsgroup/pom.xml

@@ -299,12 +299,16 @@
               <artifactId>servlet-api</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-compiler</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-catalina</artifactId>
             </exclusion>
             <exclusion>
-              <groupId>tomcat</groupId>
-              <artifactId>jasper-runtime</artifactId>
+              <groupId>org.apache.tomcat</groupId>
+              <artifactId>tomcat-jasper</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.apache.tomcat.embed</groupId>
+              <artifactId>tomcat-embed-jasper</artifactId>
             </exclusion>
             <exclusion>
               <groupId>org.codehaus.jackson</groupId>

hbase-server/pom.xml

@@ -165,6 +165,8 @@
                 <property name="build.webapps" location="${project.build.directory}/hbase-webapps"/>
                 <property name="src.webapps" location="${basedir}/src/main/resources/hbase-webapps"/>
                 <property name="generated.sources" location="${project.build.directory}/generated-sources"/>
+                <delete dir="${build.webapps}" includeemptydirs="true"/>
+                <delete dir="${generated.sources}" includeemptydirs="true"/>
                 <mkdir dir="${build.webapps}"/>
                 <copy todir="${build.webapps}">
                   <fileset dir="${src.webapps}">
@@ -537,13 +539,31 @@
       <artifactId>zookeeper</artifactId>
     </dependency>
     <dependency>
-      <groupId>tomcat</groupId>
-      <artifactId>jasper-compiler</artifactId>
-      <scope>compile</scope>
+      <groupId>org.apache.tomcat</groupId>
+      <artifactId>tomcat-catalina</artifactId>
+      <version>${tomcat-catalina.version}</version>
     </dependency>
     <dependency>
-      <groupId>tomcat</groupId>
-      <artifactId>jasper-runtime</artifactId>
+      <groupId>org.apache.tomcat</groupId>
+      <artifactId>tomcat-jasper</artifactId>
+      <version>${tomcat-jasper.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.eclipse.jdt</groupId>
+          <artifactId>ecj</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.tomcat.embed</groupId>
+      <artifactId>tomcat-embed-jasper</artifactId>
+      <version>${tomcat-embed-jasper.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.eclipse.jdt</groupId>
+          <artifactId>ecj</artifactId>
+        </exclusion>
+      </exclusions>
       <scope>compile</scope>
     </dependency>
     <dependency>

hbase-shaded/pom.xml

@@ -275,6 +275,34 @@
                                         <pattern>org.apache.jasper</pattern>
                                         <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.jasper</shadedPattern>
                                     </relocation>
+                                    <relocation>
+                                        <pattern>org.apache.catalina</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.catalina</shadedPattern>
+                                    </relocation>
+                                    <relocation>
+                                        <pattern>org.apache.naming</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.naming</shadedPattern>
+                                    </relocation>
+                                    <relocation>
+                                        <pattern>jakarta</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.jakarta</shadedPattern>
+                                    </relocation>
+                                    <relocation>
+                                        <pattern>org.apache.juli</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.juli</shadedPattern>
+                                    </relocation>
+                                    <relocation>
+                                        <pattern>org.apache.tomcat</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.tomcat</shadedPattern>
+                                    </relocation>
+                                    <relocation>
+                                        <pattern>org.apache.coyote</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.coyote</shadedPattern>
+                                    </relocation>
+                                    <relocation>
+                                        <pattern>org.apache.el</pattern>
+                                        <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.el</shadedPattern>
+                                    </relocation>
                                     <relocation>
                                         <pattern>org.apache.taglibs</pattern>
                                         <shadedPattern>org.apache.hadoop.hbase.shaded.org.apache.commons</shadedPattern>

hbase-spark/pom.xml

@@ -397,12 +397,16 @@
           <artifactId>jetty-util</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>tomcat</groupId>
-          <artifactId>jasper-runtime</artifactId>
+          <groupId>org.apache.tomcat</groupId>
+          <artifactId>tomcat-catalina</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>tomcat</groupId>
-          <artifactId>jasper-compiler</artifactId>
+          <groupId>org.apache.tomcat</groupId>
+          <artifactId>tomcat-jasper</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.tomcat.embed</groupId>
+          <artifactId>tomcat-embed-jasper</artifactId>
         </exclusion>
         <exclusion>
           <groupId>org.jruby</groupId>
@@ -489,12 +493,16 @@
           <artifactId>jetty-util</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>tomcat</groupId>
-          <artifactId>jasper-runtime</artifactId>
+          <groupId>org.apache.tomcat</groupId>
+          <artifactId>tomcat-catalina</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.tomcat</groupId>
+          <artifactId>tomcat-jasper</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>tomcat</groupId>
-          <artifactId>jasper-compiler</artifactId>
+          <groupId>org.apache.tomcat.embed</groupId>
+          <artifactId>tomcat-embed-jasper</artifactId>
         </exclusion>
         <exclusion>
           <groupId>org.jruby</groupId>
@@ -567,12 +575,16 @@
           <artifactId>jetty-util</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>tomcat</groupId>
-          <artifactId>jasper-runtime</artifactId>
+          <groupId>org.apache.tomcat</groupId>
+          <artifactId>tomcat-catalina</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.tomcat</groupId>
+          <artifactId>tomcat-jasper</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>tomcat</groupId>
-          <artifactId>jasper-compiler</artifactId>
+          <groupId>org.apache.tomcat.embed</groupId>
+          <artifactId>tomcat-embed-jasper</artifactId>
         </exclusion>
         <exclusion>
           <groupId>org.jruby</groupId>

hbase-thrift/pom.xml

@@ -116,6 +116,8 @@
                 <property name="build.webapps" location="${project.build.directory}/hbase-webapps"/>
                 <property name="src.webapps" location="${basedir}/src/main/resources/hbase-webapps"/>
                 <property name="generated.sources" location="${project.build.directory}/generated-sources"/>
+                <delete dir="${build.webapps}" includeemptydirs="true"/>
+                <delete dir="${generated.sources}" includeemptydirs="true"/>
                 <mkdir dir="${build.webapps}"/>
                 <copy todir="${build.webapps}">
                   <fileset dir="${src.webapps}">

pom.xml

@@ -1317,7 +1317,9 @@
     <guava.version>28.2-jre</guava.version>
     <jackson.version>2.10.1</jackson.version>
     <jackson.databind.version>2.10.1</jackson.databind.version>
-    <jasper.version>5.5.23</jasper.version>
+    <tomcat-catalina.version>10.0.0-M4</tomcat-catalina.version>
+    <tomcat-jasper.version>10.0.0-M4</tomcat-jasper.version>
+    <tomcat-embed-jasper.version>10.0.0-M4</tomcat-embed-jasper.version>
     <jaxb-api.version>2.2.2</jaxb-api.version>
     <jetty.version>9.4.28.v20200408</jetty.version>
     <servlet.api.version>3.1.0</servlet.api.version>
@@ -1824,40 +1826,29 @@
         <version>${hbase.shaded.gson.version}</version>
       </dependency>
       <dependency>
-        <!--If this is not in the runtime lib, we get odd
-      "2009-02-27 11:38:39.504::WARN:  failed jsp
-       java.lang.NoSuchFieldError: IS_SECURITY_ENABLED"
-       exceptions out of jetty deploying webapps.
-       St.Ack Thu May 20 01:04:41 PDT 2010
-      -->
-        <groupId>tomcat</groupId>
-        <artifactId>jasper-compiler</artifactId>
-        <version>${jasper.version}</version>
-        <scope>runtime</scope>
+        <groupId>org.apache.tomcat</groupId>
+        <artifactId>tomcat-catalina</artifactId>
+        <version>${tomcat-catalina.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.tomcat</groupId>
+        <artifactId>tomcat-jasper</artifactId>
+        <version>${tomcat-jasper.version}</version>
         <exclusions>
           <exclusion>
-            <groupId>javax.servlet</groupId>
-            <artifactId>jsp-api</artifactId>
-          </exclusion>
-          <exclusion>
-            <groupId>javax.servlet</groupId>
-            <artifactId>servlet-api</artifactId>
-          </exclusion>
-          <exclusion>
-            <groupId>ant</groupId>
-            <artifactId>ant</artifactId>
+            <groupId>org.eclipse.jdt</groupId>
+            <artifactId>ecj</artifactId>
           </exclusion>
         </exclusions>
       </dependency>
       <dependency>
-        <groupId>tomcat</groupId>
-        <artifactId>jasper-runtime</artifactId>
-        <version>${jasper.version}</version>
-        <scope>runtime</scope>
+        <groupId>org.apache.tomcat.embed</groupId>
+        <artifactId>tomcat-embed-jasper</artifactId>
+        <version>${tomcat-embed-jasper.version}</version>
         <exclusions>
           <exclusion>
-            <groupId>javax.servlet</groupId>
-            <artifactId>servlet-api</artifactId>
+            <groupId>org.eclipse.jdt</groupId>
+            <artifactId>ecj</artifactId>
           </exclusion>
         </exclusions>
       </dependency>