Per issue, woodstox-core 5.3.0 has security vulnerability and need to upgrade to 5.4.0 for fix.
The Hadoop Configuration classes uses woodstox to parse the XML format (core-site.xml, ...) but
- people don't normally put in DTDs
- the XML format is not the wire format used when applications submit jobs to the yarn resource manager.
- when parsing untrusted XML configuration files in restricted mode (eg. oozie workflows), DTD support is already disabled