[HADOOP-18497] Upgrade commons-text version to fix CVE-2022-42889 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.2.4, 3.3.4
Fix Version/s: 3.4.0, 3.3.5, 3.2.5
Component/s: build
Labels:
- pull-request-available

Target Version/s:

3.4.0, 3.3.5
Hadoop Flags:

Reviewed

Description

Upgrade commons-text version to ensure downstream applications are not at risk from CVE-2022-42889.

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

The CVE is related to variable expansion through the utility class org.apache.commons.text.lookup.StringLookup.

Hadoop does not use this in its codebase, and never has. Therefore it is not at direct risk from this.
We are not aware of any uses in its dependent libraries. Assuming this is true, hadoop is not at indirect risk from this.

Applications built using the hadoop libraries may be at risk if they use the class and get their version of commons-text set transitively from the hadoop build. Upgrading the dependency declared by hadoop ensures that these applications are not vulnerable.

Attachments

Issue Links

duplicates

HADOOP-18492 upgrade commons-text to 1.10.0

Resolved

is related to

SPARK-40801 Upgrade Apache Commons Text to 1.10

Resolved

ARTEMIS-4060 Upgrade Commons Text to 1.10.0

Closed

relates to

HADOOP-18341 upgrade commons-configuration2 to 2.8.0 and commons-text to 1.9

Resolved

links to

GitHub Pull Request #5037

GitHub Pull Request #5040

GitHub Pull Request #5041

(2 links to)

Activity

People

Assignee:: PJ Fanning

Reporter:: Xiaoqiao He

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 16/Oct/22 07:49

Updated:: 27/Jan/24 09:10

Resolved:: 18/Oct/22 03:43