[HDFS-16453] Upgrade okhttp from 2.7.5 to 4.9.3 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.1
Fix Version/s: 3.4.0, 3.3.4
Component/s: hdfs-client
Labels:
- pull-request-available

Release Note:
okhttp has been updated to address CVE-2021-0341

Description

org.apache.hadoop:hadoop-hdfs-client comes with com.squareup.okhttp:okhttp:2.7.5 as a dependency, which is vulnerable to an information disclosure issue due to how the contents of sensitive headers, such as the Authorization header, can be logged when an IllegalArgumentException is thrown.

This issue could allow an attacker or malicious user who has access to the logs to obtain the sensitive contents of the affected headers which could facilitate further attacks.

Fixed in 5.0.0-alpha3 by this commit. The fix was cherry-picked and backported into 4.9.2 with this commit.

Requesting you to clarify if this dependency will be updated to a fixed version in the following releases

Attachments

Issue Links

causes

HADOOP-18642 Cut excess dependencies from hadoop-azure, hadoop-aliyun transitive imports; fix LICENSE-binary

Resolved

is depended upon by

HADOOP-18305 Release Hadoop 3.3.4: minor update of hadoop-3.3.3

Resolved

is duplicated by

HADOOP-18069 CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

Resolved

relates to

HBASE-27292 Fix build failure against Hadoop 3.3.4 due to added dependency on okhttp

Resolved

links to

CVE-2021-0341

GitHub Pull Request #4229

(2 links to)

Activity

People

Assignee:: Ashutosh Gupta

Reporter:: Ivan Viaznikov

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10/Feb/22 08:13

Updated:: 23/Feb/23 19:23

Resolved:: 20/May/22 18:18

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 20m