DataStax cassandra core java drive is having a transitive dependencies on guava-19 (including latest DataStax) which is having a security vulnerable (CVE-2018-10237).
To fix this when I tried excluding guava-19.0 dependencies from DataStax drive and replaced with guava-27.1-jre I got following error on run-time and confirmed same by decompileing the latest guava driver; looks like from guava-20.0 they removed the FutureFallback class and there is no backward compatibility with latest cassandra drive.
java.lang.NoClassDefFoundError: com/google/common/util/concurrent/FutureFallback
Any help or quick fix or alternative is highly appreciable.
The vulnerability relates to Guava classes AtomicDoubleArray and CompoundOrdering; we don't use them in the driver.
We've addressed Guava compatibility issues in JAVA-1328. The driver is compatible with 16.0.1 to latest, there is an internal compatibility layer to address the breaking changes in 19. I've just tried a simple client that overrides the dependency to 27.1-jre, things work as expected.
How were you testing and what was the stack trace of your error?