You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by "Shivram Mani (JIRA)" <ji...@apache.org> on 2015/11/12 20:02:11 UTC

[jira] [Commented] (HAWQ-151) Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability

    [ https://issues.apache.org/jira/browse/HAWQ-151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15002657#comment-15002657 ] 

Shivram Mani commented on HAWQ-151:
-----------------------------------

The above vulnerability exists in apache commons versions and is exposed when using InvokerTransformer during deserialization. 
PXF has dependancy on various components including tomcat, hadoop-common, hadoop-client that uses apache commons 3.2.1. Which means even if we fix this issue directly in the PXF code base, this vulnerability can still be exposed by the underlying hadoop libraries.
The proposed fix essentially disables deserializing in InvokerTransformer and the proposal is to selectively enable them in speicific transformers. The fix is not yet mature enough to be consumed at this point. When we upgrade to a newer version of the commons library in the future(4.0+), this fix would be alleviated.

For now, we will not make any change in the PXF code base or patch any underlying library.

> Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability
> ------------------------------------------------------------------------------------
>
>                 Key: HAWQ-151
>                 URL: https://issues.apache.org/jira/browse/HAWQ-151
>             Project: Apache HAWQ
>          Issue Type: Task
>          Components: PXF
>            Reporter: C.J. Jameson
>            Assignee: Shivram Mani
>            Priority: Critical
>
> There is a remote code execution vulnerability in Apache Commons Collections. This vulnerability affects many Java applications and frameworks, so we should check if our code is also vulnerable.
> Here's the article that started the current debate about this vulnerability, including links to the original conference talk: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> Here's the ticket in Apache's JIRA: https://issues.apache.org/jira/browse/COLLECTIONS-580
> Other projects' examples of reports and workarounds:
> Jenkins has a temporary workaround and a security update is coming this Wednesday: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
> and Spring already has a fix in version 4.2.3, to be officially released on 11/16: https://jira.spring.io/browse/SPR-13656



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)