javakubernetescachinghazelcast

Hazelcast Kubernetes Compatibility with Hazelcast > 5.3.1


We have a massive library upgrade being done and the only vulnerability pending is the hazelcast client vulnerability on 5.3.1 which is CVE-2023-45859 & possibly CVE-2023-45860. We are not able to proceed to update the client further as there is a method not found issue on hazelcast-kubernetes 2.2.3. Is there an alternate to hazelcast-kubernetes library which can be employed on Container platform or is there someone working to upgrade hazelcast-kubernetes all together?

Below is the stacktrace if hazelcast client alone is being upgraded above 5.3.1,

java.lang.NoSuchMethodError: 'void com.hazelcast.internal.nio.IOUtil.closeResource(java.io.Closeable)'
at com.hazelcast.kubernetes.KubernetesConfig.readFileContents(KubernetesConfig.java:164)
at com.hazelcast.kubernetes.KubernetesConfig.readAccountToken(KubernetesConfig.java:140)
at com.hazelcast.kubernetes.KubernetesConfig.getApiToken(KubernetesConfig.java:125)
at com.hazelcast.kubernetes.KubernetesConfig.(KubernetesConfig.java:94)
at com.hazelcast.kubernetes.HazelcastKubernetesDiscoveryStrategy.(HazelcastKubernetesDiscoveryStrategy.java:42)
at com.hazelcast.kubernetes.HazelcastKubernetesDiscoveryStrategyFactory.newDiscoveryStrategy(HazelcastKubernetesDiscoveryStrategyFactory.java:68)
at com.hazelcast.spi.discovery.impl.DefaultDiscoveryService.loadDiscoveryStrategies(DefaultDiscoveryService.java:151)
at com.hazelcast.spi.discovery.impl.DefaultDiscoveryService.(DefaultDiscoveryService.java:58)
at com.hazelcast.spi.discovery.impl.DefaultDiscoveryServiceProvider.newDiscoveryService(DefaultDiscoveryServiceProvider.java:29)
at com.hazelcast.instance.impl.Node.createDiscoveryService(Node.java:363)
at com.hazelcast.instance.impl.Node.(Node.java:284)

Solution

  • We had a customised library on top of hazelcast which were using the below dependencies which had its own compatibility with hazelcast library. Thanks to orçun-Çolak, hazelcast 5 and above now has both kubernetes and client bundled together. Client Kubernetes

    Removing both and having only hazelcast resolves it.

        <dependency>
            <groupId>com.hazelcast</groupId>
            <artifactId>hazelcast-client</artifactId>
            <version>${hazelcast-client.version}</version>
        </dependency>
    
        <dependency>
            <groupId>com.hazelcast</groupId>
            <artifactId>hazelcast-kubernetes</artifactId>
            <version>${hazelcast-kubernetes.version}</version>
        </dependency>