Gaffer icon indicating copy to clipboard operation
Gaffer copied to clipboard

Published 20 hours ago verified publisher icon gchq

Remove hadoop 2.6.5 vulnerability

Open CleWang opened this issue 4 years ago • 1 comments

Hello, I found that your project uses some dependencies with CVEs and the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Here is the detailed information:

  • Vulnerable Dependency: org.apache.hadoop : hadoop-common : 2.6.5

  • Call Chain to Buggy Methods:

    • Some files in your project call the library method org.apache.hadoop.io.SequenceFile.Reader.next(org.apache.hadoop.io.Writable,org.apache.hadoop.io.Writable), which can reach the buggy method of CVE-2017-15713.

    • Files in your project: library/hdfs-library/src/main/java/uk/gov/gchq/gaffer/hdfs/operation/handler/job/tool/SampleDataAndCreateSplitsFileTool.java

      • One of the possible call chain:
      org.apache.hadoop.io.SequenceFile.Reader.next(org.apache.hadoop.io.Writable,org.apache.hadoop.io.Writable) [buggy method]

    • Some files in your project call the library method org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[]), which can reach the buggy method of CVE-2017-15713.

      • Files in your project: store-implementation/hbase-store/src/main/java/uk/gov/gchq/gaffer/hbasestore/operation/hdfs/handler/AddElementsFromHdfsHandler.java
      • One of the possible call chain:
      org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]

  • Update suggestion: version 3.2.1 3.2.1 is a safe version without CVEs. From 2.6.5 to 3.2.1, 6 of the APIs (called by 10 times in your project) were modified.

CleWang avatar Mar 02 '20 09:03 CleWang

@CleWang My sincere apologies for taking more than a year to respond. We will be addressing version upgrades later in the year and will consider your suggestions then. Thanks.

n3101 avatar Aug 24 '21 15:08 n3101

@CleWang Another year older, but I can finally say that we have released Gaffer 2.0 alpha3 which addresses your issue and offers a choice between a default of Accumulo2 & Hadoop 3 versions on one hand, or the old versions for legacy diehards on the other.

n3101 avatar Oct 11 '22 13:10 n3101