You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-issues@hadoop.apache.org by "Akira Ajisaka (Jira)" <ji...@apache.org> on 2022/09/27 06:52:00 UTC
[jira] [Resolved] (HDFS-16766) XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source
[ https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Akira Ajisaka resolved HDFS-16766.
----------------------------------
Fix Version/s: 3.4.0
3.3.9
3.2.5
Resolution: Fixed
Committed to trunk, branch-3.3, and branch-3.2. Thank you [~Du] for your report and thank you [~groot] for your fix!
> XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source
> --------------------------------------------------------------------------------------------------
>
> Key: HDFS-16766
> URL: https://issues.apache.org/jira/browse/HDFS-16766
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.4
> Reporter: Jing
> Assignee: Ashutosh Gupta
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.9, 3.2.5
>
>
> XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. The attack resides in XML input containing references to an external entity an is parsed by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.
>
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org