Weakly Configured XML External Entity for Java JAXBContext

[Barani Bikshandi <bb...@gmail.com>]

I was notified of a security issue recently in the below package. Is there a plan to fix this vulnerability in near future? 

Risk Name
Weakly Configured XML External Entity for Java JAXBContext

Vulnerability
An attacker can inject untrusted data into applications which may result in the disclosure of confidential data, denial of service, server side request forgeries or port scanning.

Code:
/hbase/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/client/RemoteAdmin.java

Mitigation:
We require that XML processors need to be configured properly to prevent XXE (XML External Entity) attack when an application handles data from untrusted source.

Re: Weakly Configured XML External Entity for Java JAXBContext

[Josh Elser <el...@apache.org>]

Per the guidance on the HBase book preface[1], I'll forward Barani's 
question to the HBase private list. I'd kindly request no further 
communication here until the question can be properly evaluated.

Thanks.

[1] https://hbase.apache.org/book.html#_preface

On 3/10/20 1:07 PM, Barani Bikshandi wrote:
> I was notified of a security issue recently in the below package. Is there a plan to fix this vulnerability in near future?
> 
> Risk Name
> Weakly Configured XML External Entity for Java JAXBContext
> 
> Vulnerability
> An attacker can inject untrusted data into applications which may result in the disclosure of confidential data, denial of service, server side request forgeries or port scanning.
> 
> Code:
> /hbase/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/client/RemoteAdmin.java
> 
> Mitigation:
> We require that XML processors need to be configured properly to prevent XXE (XML External Entity) attack when an application handles data from untrusted source.
>