[
https://issues.apache.org/jira/browse/HADOOP-18825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17758727#comment-17758727
]
Eugene Shinn (Truveta) commented on HADOOP-18825:
-------------------------------------------------
Pinging to bring back to top of stack for potential triage and update.
> Address Netty 4.x / CWE-295 by configuring hostname verification
> ----------------------------------------------------------------
>
> Key: HADOOP-18825
> URL: https://issues.apache.org/jira/browse/HADOOP-18825
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.6
> Reporter: Eugene Shinn (Truveta)
> Priority: Minor
>
> Our SAST tool has picked up that the version of Netty 4.x used by Hadoop is
> vulnerable to [Security Vulnerability - Common Weakness Enumeration (CWE)
> CWE-295 · Issue #9930 · netty/netty
> (github.com)|https://github.com/netty/netty/issues/9930]. Until Netty 5 is
> released (which will enable it by default), the remediation is to enable host
> name verification ([SslContext (Netty API Reference
> (4.1.95.Final))|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-]).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
