[
https://issues.apache.org/jira/browse/HADOOP-18497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shilun Fan updated HADOOP-18497:
--------------------------------
Target Version/s: 3.3.5, 3.4.0
> Upgrade commons-text version to fix CVE-2022-42889
> --------------------------------------------------
>
> Key: HADOOP-18497
> URL: https://issues.apache.org/jira/browse/HADOOP-18497
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Affects Versions: 3.2.4, 3.3.4
> Reporter: Xiaoqiao He
> Assignee: PJ Fanning
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.5, 3.2.5
>
>
> Upgrade commons-text version to ensure downstream applications are not at
> risk from CVE-2022-42889.
> https://nvd.nist.gov/vuln/detail/CVE-2022-42889
> The CVE is related to variable expansion through the utility class
> {{org.apache.commons.text.lookup.StringLookup}}.
> # Hadoop does not use this in its codebase, and never has. Therefore it is
> not at direct risk from this.
> # We are not aware of any uses in its dependent libraries. Assuming this is
> true, hadoop is not at indirect risk from this.
> Applications built using the hadoop libraries may be at risk if they use the
> class and get their version of commons-text set transitively from the hadoop
> build. Upgrading the dependency declared by hadoop ensures that these
> applications are not vulnerable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
