[jira] [Updated] (HDFS-16766) hdfs ec command loads (administrator provided) erasure code policy files without disabling xml entity expansion

Thu, 13 Oct 2022 10:12:09 -0700 


     [ 
https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Loughran updated HDFS-16766:
----------------------------------
    Summary: hdfs ec command loads (administrator provided) erasure code policy 
files without disabling xml entity expansion  (was: XML External Entity (XXE) 
attacks can occur while processing XML received from an untrusted source)

> hdfs ec command loads (administrator provided) erasure code policy files 
> without disabling xml entity expansion
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-16766
>                 URL: https://issues.apache.org/jira/browse/HDFS-16766
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.4
>            Reporter: Jing
>            Assignee: Ashutosh Gupta
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0, 3.3.5, 3.2.5
>
>
> XML External Entity (XXE) attacks can occur when an XML parser supports XML 
> entities while processing XML received from an untrusted source. The attack 
> resides in XML input containing references to an external entity an is parsed 
> by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.
>  
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93
> h3. sonatype-2022-5732
> If anyone is landing on this page following the sonatype-2022-5732 alert
> # the xml expansion only happens on the command line of the {{hdfs ec)) 
> command 
> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html#Administrative_commands
> # the outcome of entity expansion will be the command failing/running out of 
> memory
> # if you cluster admin is loading erasure policies from untrusted sources, 
> there are fundamental process issues to worry about beyond xml references



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to