[
https://issues.apache.org/jira/browse/HADOOP-19325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran resolved HADOOP-19325.
-------------------------------------
Resolution: Not A Problem
> hadoop-rumen is vulnerable to Sonatype CWE611
> ---------------------------------------------
>
> Key: HADOOP-19325
> URL: https://issues.apache.org/jira/browse/HADOOP-19325
> Project: Hadoop Common
> Issue Type: Task
> Components: security, tools
> Affects Versions: 3.4.0, 3.3.6, 3.4.1
> Reporter: Palakur Eshwitha Sai
> Priority: Major
>
> hadoop-rumen is vulnerable to CWE-611: [Improper Restriction of XML External
> Entity Reference.|https://cwe.mitre.org/data/definitions/611.html]
> Explanation: The Apache {{hadoop-common}} and {{hadoop-rumen}} packages are
> vulnerable to XML External Entity (XXE) attacks. The
> {{readXmlFileToMapWithFileInputStream()}} method in the {{HostsFileReader}}
> class, the {{parse()}} method in the {{JobConfigurationParser}} class, and
> the constructor in the {{ParsedConfigFile}} class process malicious external
> entities by default due to an unsafe XML parser configuration. A remote
> attacker who can supply or modify the contents of hosts or configuration XML
> files parsed by these packages can exploit this vulnerability to exfiltrate
> information, cause a Denial of Service (DoS) condition, or perform other
> XXE-related attacks.
> Root Cause: org/apache/hadoop/tools/rumen/JobConfigurationParser.class,
> org/apache/hadoop/tools/rumen/ParsedConfigFile.class
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
