Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-18561

CVE-2021-37533 on commons-net is included in hadoop common and hadoop-client-runtime

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Reviewed

    Description

      Latest 3.3.4 version of hadoop-common and hadoop-client-runtime includes commons-net in version 3.6, which has vulnerability CVE-2021-37533. Need to upgrade it to 3.9 to fix.

      This is a due diligence patch only; by the time the caller encounters the CVE they must have already provided their username and password to a malicious ftp server.

      Attachments

        Issue Links

        relates to

        New Feature - A new feature of the product, which has yet to be developed. NET-711 Add FTP option to toggle use of return host like cURL

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-18361 Update commons-net from 3.6 to 3.8.0.

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved
        links to

        Web Link GitHub Pull Request #5214

        Web Link GitHub Pull Request #5227

        Web Link GitHub Pull Request #5228

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            stevel@apache.org Steve Loughran
            phoebemaomao phoebe chen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment