Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-19325

hadoop-rumen is vulnerable to Sonatype CWE611

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 3.4.0, 3.3.6, 3.4.1
    • None
    • security, tools
    • None

    Description

      hadoop-rumen is vulnerable to CWE-611: Improper Restriction of XML External Entity Reference.

      sonatype-2022-5820

      Explanation: The Apache hadoop-common and hadoop-rumen packages are vulnerable to XML External Entity (XXE) attacks. The readXmlFileToMapWithFileInputStream() method in the HostsFileReader class, the parse() method in the JobConfigurationParser class, and the constructor in the ParsedConfigFile class process malicious external entities by default due to an unsafe XML parser configuration. A remote attacker who can supply or modify the contents of hosts or configuration XML files parsed by these packages can exploit this vulnerability to exfiltrate information, cause a Denial of Service (DoS) condition, or perform other XXE-related attacks.

      Root Cause: org/apache/hadoop/tools/rumen/JobConfigurationParser.class, org/apache/hadoop/tools/rumen/ParsedConfigFile.class

      Attachments

        Issue Links

          is fixed by

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-18469 Add XMLUtils methods to centralise code that creates secure XML parsers

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              palsai Palakur Eshwitha Sai
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: