[
https://issues.apache.org/jira/browse/FLUME-3475?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Deepak Garg updated FLUME-3475:
-------------------------------
Description:
This dependency upgrade requires changes in flume-jdbc-channel
Explanation
The Apache Commons DBCP packages are vulnerable to Insufficiently Protected
Credentials. The {{toString}} method in various classes as mentioned below,
displays sensitive credentials. An attacker can exploit this as part of a
larger attack, using said credentials to gain unauthorized access.
{_}Vulnerable Classes{_}:
* DelegatingConnection.class
* DriverConnectionFactory.class
* DriverAdapterCPDS.class
* PoolKey.class
* UserPassKey.class
Detection
The application is vulnerable by using this component.
Recommendation
There is no non-vulnerable upgrade path for this component/package. We
recommend investigating alternative components or a potential mitigating
control.
Version Affected
[1.2.1,1.4]
Root Cause
commons-dbcp-1.4.jarorg/apache/commons/dbcp/DriverConnectionFactory.class[1.2.1,
20030818.201141)
commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/PoolKey.class[1.2.1,
20030818.201141)
commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/UserPassKey.class[1.2.1,
20030818.201141)
commons-dbcp-1.4.jarorg/apache/commons/dbcp/DelegatingConnection.class[1.2.2,
20030818.201141)
Advisories
Project[https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd]
CVSS Details
Sonatype CVSS 37.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
was:This dependency upgrade requires changes in flume-jdbc-channel
> Upgrade Commons-dbcp 1.4 to Commons-dbcp2 2.9.0
> ------------------------------------------------
>
> Key: FLUME-3475
> URL: https://issues.apache.org/jira/browse/FLUME-3475
> Project: Flume
> Issue Type: Dependency upgrade
> Environment: Hadoop 3
> RHEL 7
> flume 1.11.0
> Reporter: Deepak Garg
> Assignee: Deepak Garg
> Priority: Major
>
> This dependency upgrade requires changes in flume-jdbc-channel
>
> Explanation
> The Apache Commons DBCP packages are vulnerable to Insufficiently Protected
> Credentials. The {{toString}} method in various classes as mentioned below,
> displays sensitive credentials. An attacker can exploit this as part of a
> larger attack, using said credentials to gain unauthorized access.
> {_}Vulnerable Classes{_}:
> * DelegatingConnection.class
> * DriverConnectionFactory.class
> * DriverAdapterCPDS.class
> * PoolKey.class
> * UserPassKey.class
> Detection
> The application is vulnerable by using this component.
> Recommendation
> There is no non-vulnerable upgrade path for this component/package. We
> recommend investigating alternative components or a potential mitigating
> control.
> Version Affected
> [1.2.1,1.4]
> Root Cause
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/DriverConnectionFactory.class[1.2.1,
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/PoolKey.class[1.2.1,
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/UserPassKey.class[1.2.1,
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/DelegatingConnection.class[1.2.2,
> 20030818.201141)
> Advisories
> Project[https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd]
> CVSS Details
> Sonatype CVSS 37.5
> CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
