[jira] [Work logged] (HADOOP-18237) Upgrade Apache Xerces Java to 2.12.2

Mon, 16 May 2022 20:56:08 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18237?focusedWorklogId=771133&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-771133
 ]

ASF GitHub Bot logged work on HADOOP-18237:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 17/May/22 03:55
            Start Date: 17/May/22 03:55
    Worklog Time Spent: 10m 
      Work Description: ashutoshcipher opened a new pull request, #4318:
URL: https://github.com/apache/hadoop/pull/4318

   ### Description of PR
   Upgraded Apache Xerces Java to 2.12.2 due to handle vulnerability 
[CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437)
   * JIRA: HADOOP-18237
   
   
   - [x] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 771133)
    Remaining Estimate: 0h
            Time Spent: 10m

> Upgrade Apache Xerces Java to 2.12.2
> ------------------------------------
>
>                 Key: HADOOP-18237
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18237
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Ashutosh Gupta
>            Assignee: Ashutosh Gupta
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Description
> https://github.com/advisories/GHSA-h65f-jvqw-m9fj
> There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser 
> when handling specially crafted XML document payloads. This causes, the 
> XercesJ XML parser to wait in an infinite loop, which may sometimes consume 
> system resources for prolonged duration. This vulnerability is present within 
> XercesJ version 2.12.1 and the previous versions.
> References
> [https://nvd.nist.gov/vuln/detail/CVE-2022-23437]
> https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
> http://www.openwall.com/lists/oss-security/2022/01/24/3
> https://www.oracle.com/security-alerts/cpuapr2022.html



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to