[
https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Akira Ajisaka resolved HDFS-16766.
----------------------------------
Fix Version/s: 3.4.0
3.3.9
3.2.5
Resolution: Fixed
Committed to trunk, branch-3.3, and branch-3.2. Thank you [~Du] for your report
and thank you [~groot] for your fix!
> XML External Entity (XXE) attacks can occur while processing XML received
> from an untrusted source
> --------------------------------------------------------------------------------------------------
>
> Key: HDFS-16766
> URL: https://issues.apache.org/jira/browse/HDFS-16766
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.4
> Reporter: Jing
> Assignee: Ashutosh Gupta
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.9, 3.2.5
>
>
> XML External Entity (XXE) attacks can occur when an XML parser supports XML
> entities while processing XML received from an untrusted source. The attack
> resides in XML input containing references to an external entity an is parsed
> by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.
>
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
