You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Ivan Viaznikov (Jira)" <ji...@apache.org> on 2022/02/10 08:14:00 UTC

[jira] [Created] (HDFS-16453) okhttp vulnerable library update

Ivan Viaznikov created HDFS-16453:
-------------------------------------

             Summary: okhttp vulnerable library update
                 Key: HDFS-16453
                 URL: https://issues.apache.org/jira/browse/HDFS-16453
             Project: Hadoop HDFS
          Issue Type: Wish
          Components: hdfs-client
    Affects Versions: 3.3.1
            Reporter: Ivan Viaznikov


{{org.apache.hadoop:hadoop-hdfs-client}} comes with {{com.squareup.okhttp:okhttp:2.7.5}} as a dependency, which is vulnerable to an information disclosure issue due to how the contents of sensitive headers, such as the {{Authorization}} header, can be logged when an {{IllegalArgumentException}} is thrown.

This issue could allow an attacker or malicious user who has access to the logs to obtain the sensitive contents of the affected headers which could facilitate further attacks.

Fixed in {{5.0.0-alpha3}} by [this|https://github.com/square/okhttp/commit/dcc6483b7dc6d9c0b8e03ff7c30c13f3c75264a5] commit. The fix was cherry-picked and backported into {{4.9.2}} with [this|https://github.com/square/okhttp/commit/1fd7c0afdc2cee9ba982b07d49662af7f60e1518] commit.

Requesting you to clarify if this dependency will be updated to a fixed version in the following releases



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org