Eugene Shinn (Truveta) created HADOOP-18825:
-----------------------------------------------
Summary: Address Netty 4.x / CWE-295 by configuring hostname
verification
Key: HADOOP-18825
URL: https://issues.apache.org/jira/browse/HADOOP-18825
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.3.6
Reporter: Eugene Shinn (Truveta)
Our SAST tool has picked up that the version of Netty 4.x used by Hadoop is
vulnerable to [Security Vulnerability - Common Weakness Enumeration (CWE)
CWE-295 · Issue #9930 · netty/netty
(github.com)|https://github.com/netty/netty/issues/9930]. Until Netty 5 is
released (which will enable it by default), the remediation is to enable host
name verification ([SslContext (Netty API Reference
(4.1.95.Final))|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-]).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
