[
https://issues.apache.org/jira/browse/HADOOP-18341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606894#comment-17606894
]
ASF GitHub Bot commented on HADOOP-18341:
-----------------------------------------
tasanuma commented on PR #4578:
URL: https://github.com/apache/hadoop/pull/4578#issuecomment-1251849439
Thanks for your PR and your discussion, @pjfanning and @ashutoshcipher.
Our source code analyzer also detected CVE-2022-33980 in
commons-configuration2-2.1.1. I do not think this vulnerability affects Hadoop,
but we should upgrade it to 2.8.0.
Some minor comments about this PR,
- Is the TestTimelineWebServices fix related to the commons-configuration
upgrade? If not, we should not include it in this PR.
- Since this is a security fix, it should be backported to lower branches.
Could you please create a PR to backport to branch-3.3, branch-3,2, and
branch-2.10?
> upgrade to commons-configuration2 2.8.0
> ---------------------------------------
>
> Key: HADOOP-18341
> URL: https://issues.apache.org/jira/browse/HADOOP-18341
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Current version 2.1.1 has no CVEs but all higher versions have CVEs except
> for the latest release 2.8.0. Still feels like it would be safer to upgrade.
> Currently, causes issues - that will need to be fixed:
> ```
> [ERROR]
> testBlockReaderLocalWithMlockChanges(org.apache.hadoop.hdfs.client.impl.TestBlockReaderLocal)
> Time elapsed: 0.414 s <<< ERROR!
> java.lang.NoClassDefFoundError: Could not initialize class
> org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder
> at
> org.apache.commons.configuration2.interpol.ConfigurationInterpolator.getDefaultPrefixLookups(ConfigurationInterpolator.java:290)
> at
> org.apache.commons.configuration2.AbstractConfiguration.installDefaultInterpolator(AbstractConfiguration.java:375)
> at
> org.apache.commons.configuration2.AbstractConfiguration.<init>(AbstractConfiguration.java:122)
> at
> org.apache.commons.configuration2.BaseConfiguration.<init>(BaseConfiguration.java:37)
> at
> org.apache.commons.configuration2.PropertiesConfiguration.<init>(PropertiesConfiguration.java:1059)
> at
> org.apache.hadoop.metrics2.impl.MetricsConfig.loadFirst(MetricsConfig.java:114)
> at
> org.apache.hadoop.metrics2.impl.MetricsConfig.create(MetricsConfig.java:97)
> at
> org.apache.hadoop.metrics2.impl.MetricsSystemImpl.configure(MetricsSystemImpl.java:482)
> at
> org.apache.hadoop.metrics2.impl.MetricsSystemImpl.start(MetricsSystemImpl.java:188)
> at
> org.apache.hadoop.metrics2.impl.MetricsSystemImpl.init(MetricsSystemImpl.java:163)
> at
> org.apache.hadoop.metrics2.lib.DefaultMetricsSystem.init(DefaultMetricsSystem.java:62)
> at
> org.apache.hadoop.metrics2.lib.DefaultMetricsSystem.initialize(DefaultMetricsSystem.java:58)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1780)
> ```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
