Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.3.1
-
okhttp has been updated to address CVE-2021-0341
Description
org.apache.hadoop:hadoop-hdfs-client comes with com.squareup.okhttp:okhttp:2.7.5 as a dependency, which is vulnerable to an information disclosure issue due to how the contents of sensitive headers, such as the Authorization header, can be logged when an IllegalArgumentException is thrown.
This issue could allow an attacker or malicious user who has access to the logs to obtain the sensitive contents of the affected headers which could facilitate further attacks.
Fixed in 5.0.0-alpha3 by this commit. The fix was cherry-picked and backported into 4.9.2 with this commit.
Requesting you to clarify if this dependency will be updated to a fixed version in the following releases
Attachments
Issue Links
- causes
-
HADOOP-18642 Cut excess dependencies from hadoop-azure, hadoop-aliyun transitive imports; fix LICENSE-binary
- Resolved
- is depended upon by
-
HADOOP-18305 Release Hadoop 3.3.4: minor update of hadoop-3.3.3
- Resolved
- is duplicated by
-
HADOOP-18069 CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client
- Resolved
- relates to
-
HBASE-27292 Fix build failure against Hadoop 3.3.4 due to added dependency on okhttp
- Resolved
- links to