camel-quarkus icon indicating copy to clipboard operation
camel-quarkus copied to clipboard

Published 20 hours ago verified publisher icon apache

CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows

Open ppalaga opened this issue 3 years ago • 4 comments

See https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz We should avoid using org.apache.hadoop:hadoop-common older than 3.2.3

$ mvn org.l2x6.cq:cq-prod-maven-plugin:2.23.0:find-dependency -N -e '-Dcq.gavPattern=org.apache.hadoop:hadoop-common'
...
[WARNING] Found org.apache.camel.quarkus:camel-quarkus-hbase:2.9.0-SNAPSHOT:jar:
        -> org.apache.camel:camel-hbase:3.16.0:jar:
        -> org.apache.hbase:hbase-client:2.4.10:jar:
        -> org.apache.hadoop:hadoop-common:2.10.0:jar:
...
[WARNING] Found org.apache.camel.quarkus:camel-quarkus-hdfs:2.9.0-SNAPSHOT:jar:
        -> org.apache.camel:camel-hdfs:3.16.0:jar:
        -> org.apache.hadoop:hadoop-common:3.3.2:jar:
...
[WARNING] Found org.apache.camel.quarkus:camel-quarkus-spark:2.9.0-SNAPSHOT:jar:
        -> org.apache.camel:camel-spark:3.16.0:jar:
        -> org.apache.hadoop:hadoop-common:3.3.2:jar:
...

ppalaga avatar May 03 '22 11:05 ppalaga

I wonder if we should deprecate and remove hdfs & hbase? Hadoop is a massive bucket of stuff that seems to have no real dependency alignment or convergence management. Coupled with the fact these extensions are using different Hadoop versions, it makes maintaining them quite painful.

jamesnetherton avatar Jul 01 '22 08:07 jamesnetherton

I agree we should deprecate them. Plus the hadoop community is not responsive about security. Plus we are relying on old versions without possibility to upgrade (at least for hbase). https://issues.apache.org/jira/browse/CAMEL-18246 https://issues.apache.org/jira/browse/HADOOP-18317

What would you think about deprecating the spark extension too ?

aldettinger avatar Jul 06 '22 19:07 aldettinger

What would you think about deprecating the spark extension too ?

We already removed Spark in 2.10.0 👍

jamesnetherton avatar Jul 06 '22 20:07 jamesnetherton

I wonder if we should deprecate and remove hdfs & hbase? Hadoop is a massive bucket of stuff that seems to have no real dependency alignment or convergence management. Coupled with the fact these extensions are using different Hadoop versions, it makes maintaining them quite painful.

I agree they are hard to maintain. Do you know if there were any discussions on Camel level to remove those? Ideally they should be agreed for deprecation and removal in Camel.

ppalaga avatar Jul 08 '22 13:07 ppalaga

There was discussion in camel upstream to talk about deprecating spark, hbase and hdfs:

  • camel-spark (will be deprecated in camel, already removed in camel-quarkus)
  • camel-hbase (will be deprecated in camel, we could deprecate as well in camel-quarkus)

Concerning camel-hdfs, the deprecation is reported in camel as there is community interest. Now come the question of the maintenance in camel-quarkus:

  • This CVE should be fixed
  • I think we would have a single hadoop version left as we remove hbase
  • However I don't know how bad alignement/convergence could still be

At this stage, I would report the deprecation of camel-quarkus-hdfs and reconsider when we hit another big maintenance issue.

@jamesnetherton @ppalaga What do you think ?

aldettinger avatar Nov 24 '22 09:11 aldettinger

+1 for deprecating both hdfs and hbase

ppalaga avatar Nov 24 '22 12:11 ppalaga

Ok, let's deprecate both in Camel Quarkus then. We could come back if there is a strong community involvement to narrow down the maintenance burden in the future.

aldettinger avatar Nov 24 '22 17:11 aldettinger

+1 for deprecating

zbendhiba avatar Nov 25 '22 08:11 zbendhiba

hbase has been partly deprecated in camel-quarkus commit https://github.com/apache/camel-quarkus/commit/bbbee804a215072c217912ffbf922a2438453c52

aldettinger avatar Jan 04 '23 15:01 aldettinger