[jira] [Comment Edited] (SOLR-16324) CVE-2022-33980 in commons-configuration2

Gus Heck (Jira) Thu, 04 Aug 2022 15:18:09 -0700


    [ 
https://issues.apache.org/jira/browse/SOLR-16324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17575468#comment-17575468
 ]


Gus Heck edited comment on SOLR-16324 at 8/4/22 10:17 PM:
----------------------------------------------------------

When I looked at this it seemed that this dependency is inherited from 
hadoop-auth module, apparently via explicitly specfied transitive dependencies 
in that build file, near a comment that these are used for 
hadoop-common/Kerberos.  Removing it didn't seem to inhibit compilation (top 
level gradle classes task) in my ide.

Hadoop tests fail if I remove this dep, and did pass with 2.8.0 FWIW

Thus, there is a fair chance (but I will not not claim 100% certainty since 
these are just quick checks) that non-kerberos users are unaffected.

Someone better able to truly verify Hadoop/Kerberos stuff works with 2.8 or 
upgrade Hadoop dependencies if applicable should look at this.


was (Author: gus_heck):
When I looked at this it seemed that this dependency is inherited from 
hadoop-auth module, apparently via explicitly specfied transitive dependencies 
in that build file, near a comment that these are used for 
hadoop-common/Kerberos.  Removing it didn't seem to inhibit compilation (top 
level gradle classes task) in my ide.

Hadoop tests fail if I remove this dep, and did pass with 2.8 FWIW

Thus, there is a fair chance (but I will not not claim 100% certainty since 
these are just quick checks) that non-kerberos users are unaffected.

Someone better able to truly verify Hadoop/Kerberos stuff works with 2.8 or 
upgrade Hadoop dependencies if applicable should look at this.

> CVE-2022-33980 in commons-configuration2
> ----------------------------------------
>
>                 Key: SOLR-16324
>                 URL: https://issues.apache.org/jira/browse/SOLR-16324
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Andrew Kulick
>            Priority: Major
>
> CVE-2022-33980 is present in org.apache.commons_commons-configuration2:2.7. 
> Upgrading to version 2.8 will remediate the issue



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

[jira] [Comment Edited] (SOLR-16324) CVE-2022-33980 in commons-configuration2

Reply via email to