Re: CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to read arbitrary files

[Jarek Potiuk]

Just to add severity: moderate.

On Mon, Nov 21, 2022 at 9:41 PM Jarek Potiuk  wrote:
>
> Description:
>
> Improper Neutralization of Special Elements used in an OS Command ('OS 
> Command Injection') vulnerability in Apache Airflow Spark Provider, Apache 
> Airflow allows an attacker to read arbtrary files in the task execution 
> context, without write access to DAG files. This issue affects Spark Provider 
> versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 
> 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be 
> installed for Airflow 2.3.0+). Note that you need to manually install the 
> Spark Provider version 4.0.0 in order to get rid of the vulnerability on top 
> of Airflow 2.3.0+ version that has lower version of the Spark Provider 
> installed).
>
> Credit:
>
> Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for 
> reporting the issue.
>
> References:
>
> https://github.com/apache/airflow/pull/27646
>

CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)

[Jarek Potiuk]

Severity: moderate

Description:

Improper Neutralization of Special Elements used in an OS Command ('OS Command 
Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow 
allows an attacker to execute arbtrary commands in the task execution context, 
without write access to DAG files. This issue affects Hive Provider versions 
prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in 
case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for 
Airflow 2.3.0+). Note that you need to manually install the HIve Provider 
version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ 
version that has lower version of the Hive Provider installed).


Credit:

Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for 
reporting the issue.

References:

https://github.com/apache/airflow/pull/27647

CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to read arbitrary files

[Jarek Potiuk]

Description:

Improper Neutralization of Special Elements used in an OS Command ('OS Command 
Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow 
allows an attacker to read arbtrary files in the task execution context, 
without write access to DAG files. This issue affects Spark Provider versions 
prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in 
case Spark Provider is installed (Spark Provider 4.0.0 can only be installed 
for Airflow 2.3.0+). Note that you need to manually install the Spark Provider 
version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ 
version that has lower version of the Spark Provider installed).

Credit:

Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for 
reporting the issue.

References:

https://github.com/apache/airflow/pull/27646

CVE-2022-40189: Apache Airlfow Pig Provider RCE

[Jarek Potiuk]

Severity: moderate

Description:

Improper Neutralization of Special Elements used in an OS Command ('OS Command 
Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows 
an attacker to control commands executed in the task execution context, without 
write access to DAG files. This issue affects Pig Provider versions prior to 
4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig 
Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 
2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 
in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

Credit:

Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for 
reporting the issue.

References:

https://github.com/apache/airflow/pull/27644

CVE-2022-38649: Apache Airflow Pinot Provider, Apache Airflow: PinotAdminHook Command Injection

[Jarek Potiuk]

Severity: moderate

Description:

Improper Neutralization of Special Elements used in an OS Command ('OS Command 
Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow 
allows an attacker to control commands executed in the task execution context, 
without write access to DAG files. This issue affects Apache Airflow Pinot 
Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions 
prior to 2.3.0 in case Apache Airlfow Pinot Provider is installed (Apache 
Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note 
that you need to manually install the Pinot Provider version 4.0.0 in order to 
get rid of the vulnerability on top of Airflow 2.3.0+ version.

Credit:

Apache Airflow PMC wants to thank id_No2015429 of 3H Security Team for 
reporting the issue.

References:

https://github.com/apache/airflow/pull/27641

[ANNOUNCE] Apache Solr 9.1.0 released

[Ishan Chattopadhyaya]

The Solr PMC is pleased to announce the release of Apache Solr 9.1.0.

Solr is the popular, blazing fast, open source NoSQL search platform
from the Apache Solr project. Its major features include powerful
full-text search, hit highlighting, faceted search, dynamic
clustering, database integration, rich document handling, and
geospatial search. Solr is highly scalable, providing fault tolerant
distributed search and indexing, and powers the search and navigation
features of many of the world's largest internet sites.

Solr 9.1.0 is available for immediate download at:

  

### Solr 9.1.0 Release Highlights:

 * Dedicated query coordinator nodes in a Solr cluster
 * Improvements to admin UI: managing paramsets in queries, managing field
   types, replica types while collection creation, etc.
 * Support for rolling up core level metrics to be node level metrics

Please refer to the Upgrade Notes in the Solr Ref Guide for
information on upgrading from previous Solr versions:

  

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

  

[ANNOUNCEMENT] HttpComponents Client 5.1.4 GA Released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 5.1.4 GA
release of HttpComponents HttpClient.

This release upgrades HttpCore to the latest 5.1 version and fixes
several issues found since release 5.1.3.

This is likely to be the last release in the 5.1 release series. Users
of HttpClient 5.1 are advised to upgrade to the latest version of 5.2.

Download - 
Release notes -


About HttpComponents HttpClient

The Hyper-Text Transfer Protocol (HTTP) is perhaps the most
significantprotocol used on the Internet today. Web services, network-
enabled appliances and the growth of network computing continue to
expand the role of the HTTP protocol beyond user-driven web browsers,
while increasing the number of applications that require HTTP support.

Although the java.net package provides basic functionality for
accessing resources via HTTP, it doesn't provide the full flexibility
or functionality needed by many applications. HttpClient seeks to fill
this voidby providing an efficient, up-to-date, and feature-rich
package implementing the client side of the most recent HTTP standards
and recommendations.

Designed for extension while providing robust support for the base HTTP
protocol, HttpClient may be of interest to anyone building HTTP-aware
client applications such as web browsers, web service clients, or
systems that leverage or extend the HTTP protocol for distributed
communication.

CVE-2022-45470: Apache Hama allows XSS and information disclosure

[Arnout Engelen]

Description:

** UNSUPPORTED WHEN ASSIGNED ** missing input validation in Apache Hama may 
cause information disclosure through path traversal and XSS. Since Apache Hama 
is EOL, we do not expect these issues to be fixed.

Credit:

Apache would like to thank QSec-Team for reporting this issue