[jira] [Commented] (FLUME-3475) Upgrade Commons-dbcp 1.4 to Commons-dbcp2 2.9.0

Fri, 12 May 2023 03:30:07 -0700 


    [ 
https://issues.apache.org/jira/browse/FLUME-3475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722109#comment-17722109
 ] 

Deepak Garg commented on FLUME-3475:
------------------------------------

[~rgoers] 

[https://github.com/apache/flume-jdbc/pull/1]

Kindly review 

 

> Upgrade Commons-dbcp 1.4 to Commons-dbcp2 2.9.0 
> ------------------------------------------------
>
>                 Key: FLUME-3475
>                 URL: https://issues.apache.org/jira/browse/FLUME-3475
>             Project: Flume
>          Issue Type: Dependency upgrade
>         Environment: Hadoop 3
> RHEL 7
> flume 1.11.0
>            Reporter: Deepak Garg
>            Assignee: Deepak Garg
>            Priority: Major
>
> This dependency upgrade requires changes in flume-jdbc-channel
>  
> Explanation
> The Apache Commons DBCP packages are vulnerable to Insufficiently Protected 
> Credentials. The {{toString}} method in various classes as mentioned below, 
> displays sensitive credentials. An attacker can exploit this as part of a 
> larger attack, using said credentials to gain unauthorized access.
> {_}Vulnerable Classes{_}:
>  * DelegatingConnection.class
>  * DriverConnectionFactory.class
>  * DriverAdapterCPDS.class
>  * PoolKey.class
>  * UserPassKey.class
> Detection
> The application is vulnerable by using this component.
> Recommendation
> There is no non-vulnerable upgrade path for this component/package. We 
> recommend investigating alternative components or a potential mitigating 
> control.
> Version Affected
> [1.2.1,1.4]
> Root Cause
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/DriverConnectionFactory.class[1.2.1,
>  20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/PoolKey.class[1.2.1, 
> 20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/datasources/UserPassKey.class[1.2.1,
>  20030818.201141)
> commons-dbcp-1.4.jarorg/apache/commons/dbcp/DelegatingConnection.class[1.2.2, 
> 20030818.201141)
> Advisories
> Project[https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd]
> CVSS Details
> Sonatype CVSS 37.5
> CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to