You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Arjun Mishra (JIRA)" <ji...@apache.org> on 2018/03/30 06:49:00 UTC
[jira] [Created] (SENTRY-2194) Upgrade Sentry hadoop-common
dependency to 2.7.5 to take advantage of security vulnerability fix
Arjun Mishra created SENTRY-2194:
------------------------------------
Summary: Upgrade Sentry hadoop-common dependency to 2.7.5 to take advantage of security vulnerability fix
Key: SENTRY-2194
URL: https://issues.apache.org/jira/browse/SENTRY-2194
Project: Sentry
Issue Type: Improvement
Affects Versions: 2.1.0
Reporter: Arjun Mishra
Assignee: Arjun Mishra
MapReduce team had discovered a security vulnerability in parsing Map Reduce-Job History Server configuration. That private files owned by a user running the cluster, could be exposed. This has been applied to versions - 2.7.5, 2.8.3, 2.9.0, or 3.0.0. Since Sentry uses hadoop-common Configuration class to parse xml files, this change can be accommodated by our produce as well. Sentry upstream is currently using 2.7.2 hadoop.version and we should bump up this version to 2.7.5 to take advantage of this feature.
The hadoop change involves adding a new boolean attribute restrictParser. Setting restrictParser to true will
* Limit XML parsing to conform with feature "http://apache.org/xml/features/disallow-doctype-decl"
** This is a security feature explained here - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
* boolean restrictSystemProps is set to true
** Will prevent system properties from being read
* set XML inclusion (XInclude) to false
** prevent merging of xml documents
With this change on hadoop side, only default resources, and hadoop-site.xml have this feature turned off, so they will be read without restricted parsing. Sentry is not listed as a default resource and would therefore have to explicitly have this property set to true.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)