You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Steve Loughran (Jira)" <ji...@apache.org> on 2022/06/22 17:56:00 UTC

[jira] [Resolved] (HADOOP-18237) Upgrade Apache Xerces Java to 2.12.2

     [ https://issues.apache.org/jira/browse/HADOOP-18237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steve Loughran resolved HADOOP-18237.
-------------------------------------
    Fix Version/s: 3.4.0
                   3.3.4
       Resolution: Fixed

> Upgrade Apache Xerces Java to 2.12.2
> ------------------------------------
>
>                 Key: HADOOP-18237
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18237
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Ashutosh Gupta
>            Assignee: Ashutosh Gupta
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0, 3.3.4
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Description
> https://github.com/advisories/GHSA-h65f-jvqw-m9fj
> There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
> References
> [https://nvd.nist.gov/vuln/detail/CVE-2022-23437]
> https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
> http://www.openwall.com/lists/oss-security/2022/01/24/3
> https://www.oracle.com/security-alerts/cpuapr2022.html



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org