You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/01/27 03:25:17 UTC

[GitHub] [dolphinscheduler] Abbylii opened a new issue #8212: 项目引用了org.apache.hadoop:hadoop-common@2.7.3等305个开源组件，存在23个漏洞，建议升级

Abbylii opened a new issue #8212:
URL: https://github.com/apache/dolphinscheduler/issues/8212


   大佬，我有关注到您的项目调用了org.apache.hadoop:hadoop-common@2.7.3等305个开源组件，存在23个安全漏洞，建议你升级下。
   ```
   漏洞标题：Apache Hadoop YARN NodeManager 安全漏洞
   漏洞编号：CVE-2017-15718
   漏洞描述：
   Apache Hadoop是美国阿帕奇（Apache）软件基金会的一套开源的分布式系统基础架构，它能够对大量数据进行分布式处理，并具有高可靠性、高扩展性、高容错性等特点。YARN NodeManager是其中的一个YARN节点管理器。
   Apache Hadoop 2.7.3版本和2.7.4版本中的YARN NodeManager存在安全漏洞。攻击者可利用该漏洞访问加密的密码。
   国家漏洞库信息：https://www.cnvd.org.cn/flaw/show/CNVD-2018-03249
   漏洞级别：严重
   影响范围：[2.7.3, 2.7.5)
   最小修复版本：2.7.5
   引入路径：
   org.apache.dolphinscheduler:dolphinscheduler:2.0.0-SNAPSHOT->org.apache.dolphinscheduler:dolphinscheduler-alert-server@2.0.0-SNAPSHOT->org.apache.dolphinscheduler:dolphinscheduler-remote@2.0.0-SNAPSHOT->org.apache.dolphinscheduler:dolphinscheduler-common@2.0.0-SNAPSHOT->org.apache.hadoop:hadoop-common@2.7.3
   ```
   另外22个漏洞,如需查看详细报告、复测或持续监测您的项目，戳这里https://www.mfsec.cn/jr?p=k1106e
   如果您的项目并不关心这个安全问题可以忽略哈。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #8212: The project references 305 open source components such as org.apache.hadoop:hadoop-common@2.7.3, there are 23 vulnerabilities, it is recommended to upgrade

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #8212:
URL: https://github.com/apache/dolphinscheduler/issues/8212#issuecomment-1022812595


   Hi:
   * Thank you for your feedback, we have received your issue, Please wait patiently for a reply.
   * In order for us to understand your request as soon as possible, please provide detailed information、version or pictures.
   * If you haven't received a reply for a long time, you can subscribe to the developer's email，Mail subscription steps reference https://dolphinscheduler.apache.org/en-us/community/development/subscribe.html ,Then write the issue URL in the email content and send question to dev@dolphinscheduler.apache.org.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #8212: The project references 305 open source components such as org.apache.hadoop:hadoop-common@2.7.3, there are 23 vulnerabilities, it is recommended to upgrade

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #8212:
URL: https://github.com/apache/dolphinscheduler/issues/8212#issuecomment-1022812486


   Boss, I have noticed that your project calls 305 open source components such as org.apache.hadoop:hadoop-common@2.7.3, and there are 23 security vulnerabilities. It is recommended that you upgrade.
   ````
   Vulnerability Title: Apache Hadoop YARN NodeManager Security Vulnerability
   Vulnerability ID: CVE-2017-15718
   Vulnerability description:
   Apache Hadoop is a set of open source distributed system infrastructure of the Apache Software Foundation of the United States. It can perform distributed processing on a large amount of data, and has the characteristics of high reliability, high scalability, and high fault tolerance. YARN NodeManager is one of the YARN node managers.
   A security vulnerability exists in the YARN NodeManager in Apache Hadoop versions 2.7.3 and 2.7.4. An attacker could exploit this vulnerability to access encrypted passwords.
   National vulnerability database information: https://www.cnvd.org.cn/flaw/show/CNVD-2018-03249
   Vulnerability Level: Critical
   Scope of influence: [2.7.3, 2.7.5)
   Min fix version: 2.7.5
   Import path:
   org.apache.dolphinscheduler:dolphinscheduler:2.0.0-SNAPSHOT->org.apache.dolphinscheduler:dolphinscheduler-alert-server@2.0.0-SNAPSHOT->org.apache.dolphinscheduler:dolphinscheduler-remote@2.0.0-SNAPSHOT- >org.apache.dolphinscheduler:dolphinscheduler-common@2.0.0-SNAPSHOT->org.apache.hadoop:hadoop-common@2.7.3
   ````
   Another 22 vulnerabilities, if you want to view the detailed report, retest or continuously monitor your project, click here https://www.mfsec.cn/jr?p=k1106e
   If your project does not care about this security issue, you can ignore it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org