How to fix vulnerability failure on EMR image

Verify Current EMR Release:

Check the AWS documentation to see if there is a newer version of the EMR Serverless image or the hudi-aws-bundle that includes a patched version of jackson-databind. AWS may have released a new version that addresses this vulnerability.

Custom EMR Build:

If the current EMR release does not have the fix, consider creating a custom EMR image where you update the jackson-databind library to a version that is not vulnerable. You can do this by: Downloading the latest non-vulnerable version of jackson-databind (2.9.8 or later) from Maven. Replacing the old version in the hudi-aws-bundle with the updated jar. Rebuilding or packaging the updated library into your EMR environment.

You can temporarily mitigate the issue by disabling polymorphic deserialization for certain classes if updating the library is not immediately possible. Here's an example in Java: ObjectMapper mapper = new ObjectMapper(); mapper.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES); mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.WRAPPER_ARRAY);

To address the vulnerability in the hudi-aws-bundle-0.14.0-amzn-1.jar file on your EMR Serverless v7.0.0 image, start by checking for a newer EMR version that might include an updated, secure version of Hudi.

If upgrading is not feasible, consider creating a custom EMR image with updated libraries or manually replacing the vulnerable jackson-databind library within the JAR file.

Additionally, applying available patches or implementing security safeguards can help mitigate the issue.