[
https://issues.apache.org/jira/browse/FLUME-3475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722108#comment-17722108
]
Deepak Garg commented on FLUME-3475:
------------------------------------
TestCases Run :
{code:java}
-------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.apache.flume.channel.jdbc.TestTransactionIsolationLevelEnum
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.062 s
- in org.apache.flume.channel.jdbc.TestTransactionIsolationLevelEnum
[INFO] Running org.apache.flume.channel.jdbc.TestJdbcChannelProvider
[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 15.093 s
- in org.apache.flume.channel.jdbc.TestJdbcChannelProvider
[INFO] Running org.apache.flume.channel.jdbc.TestJdbcChannelProviderNoFK
[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 13.089 s
- in org.apache.flume.channel.jdbc.TestJdbcChannelProviderNoFK
[INFO] Running org.apache.flume.channel.jdbc.TestDatabaseTypeEnum
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.003 s
- in org.apache.flume.channel.jdbc.TestDatabaseTypeEnum
[INFO] Running org.apache.flume.channel.jdbc.TestDerbySchemaHandlerQueries
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in
org.apache.flume.channel.jdbc.TestDerbySchemaHandlerQueries
[INFO] Running org.apache.flume.channel.jdbc.TestPersistentEvent
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.001 s
- in org.apache.flume.channel.jdbc.TestPersistentEvent
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 13, Failures: 0, Errors: 0, Skipped: 0 {code}
> Upgrade Commons-dbcp 1.4 to Commons-dbcp2 2.9.0
> ------------------------------------------------
>
> Key: FLUME-3475
> URL: https://issues.apache.org/jira/browse/FLUME-3475
> Project: Flume
> Issue Type: Dependency upgrade
> Environment: Hadoop 3
> RHEL 7
> flume 1.11.0
> Reporter: Deepak Garg
> Assignee: Deepak Garg
> Priority: Major
>
> This dependency upgrade requires changes in flume-jdbc-channel
>
> Explanation
> The Apache Commons DBCP packages are vulnerable to Insufficiently Protected
> Credentials. The {{toString}} method in various classes as mentioned below,
> displays sensitive credentials. An attacker can exploit this as part of a
> larger attack, using said credentials to gain unauthorized access.
> {_}Vulnerable Classes{_}:
> * DelegatingConnection.class
> * DriverConnectionFactory.class
> * DriverAdapterCPDS.class
> * PoolKey.class
> * UserPassKey.class
> Detection
> The application is vulnerable by using this component.
> Recommendation
> There is no non-vulnerable upgrade path for this component/package. We
> recommend investigating alternative components or a potential mitigating
> control.
> Version Affected
> [1.2.1,1.4]
> Root Cause
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/DriverConnectionFactory.class[1.2.1,
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/PoolKey.class[1.2.1,
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/UserPassKey.class[1.2.1,
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/DelegatingConnection.class[1.2.2,
> 20030818.201141)
> Advisories
> Project[https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd]
> CVSS Details
> Sonatype CVSS 37.5
> CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
