Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-16453

Upgrade okhttp from 2.7.5 to 4.9.3

    XMLWordPrintableJSON

Details

    • okhttp has been updated to address CVE-2021-0341

    Description

      org.apache.hadoop:hadoop-hdfs-client comes with com.squareup.okhttp:okhttp:2.7.5 as a dependency, which is vulnerable to an information disclosure issue due to how the contents of sensitive headers, such as the Authorization header, can be logged when an IllegalArgumentException is thrown.

      This issue could allow an attacker or malicious user who has access to the logs to obtain the sensitive contents of the affected headers which could facilitate further attacks.

      Fixed in 5.0.0-alpha3 by this commit. The fix was cherry-picked and backported into 4.9.2 with this commit.

      Requesting you to clarify if this dependency will be updated to a fixed version in the following releases

      Attachments

        Issue Links

          Activity

            People

              groot Ashutosh Gupta
              ivan.viaznikov Ivan Viaznikov
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 20m
                  1h 20m