[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17864260#comment-17864260
]
Hadoop QA commented on OOZIE-3719:
--
PreCommit-OOZIE-Build started
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: OOZIE-3719-001.patch, OOZIE-3719-002.patch,
> OOZIE-3719-003.patch, image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17864062#comment-17864062
]
János Makai commented on OOZIE-3719:
Looks like the *PreCommit-OOZIE-Build* is failing for the recent patch(es) but
this seems like an +unrelated issue+ to the change{+}
[https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/219/consoleFull]
{+}Other than this the patch looks good so far, I'm waiting for the
corresponding unit tests to be created.
Thanks [~dionusos]
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: OOZIE-3719-001.patch, OOZIE-3719-002.patch,
> image-2023-09-15-02-47-52-819.png, image-2023-09-15-02-49-14-531.png,
> image-2023-09-15-02-52-09-320.png, oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17864035#comment-17864035
]
Hadoop QA commented on OOZIE-3719:
--
PreCommit-OOZIE-Build started
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: OOZIE-3719-001.patch, OOZIE-3719-002.patch,
> image-2023-09-15-02-47-52-819.png, image-2023-09-15-02-49-14-531.png,
> image-2023-09-15-02-52-09-320.png, oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17863825#comment-17863825
]
Hadoop QA commented on OOZIE-3719:
--
PreCommit-OOZIE-Build started
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: OOZIE-3719-001.patch, OOZIE-3719-002.patch,
> image-2023-09-15-02-47-52-819.png, image-2023-09-15-02-49-14-531.png,
> image-2023-09-15-02-52-09-320.png, oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17863824#comment-17863824
]
Hadoop QA commented on OOZIE-3719:
--
PreCommit-OOZIE-Build started
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: OOZIE-3719-001.patch, OOZIE-3719-002.patch,
> image-2023-09-15-02-47-52-819.png, image-2023-09-15-02-49-14-531.png,
> image-2023-09-15-02-52-09-320.png, oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17817263#comment-17817263
]
Dénes Bodó commented on OOZIE-3719:
---
[~SanjayKumarSahu]
The [Jenkins job|https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/216/]
cannot apply the uploaded patch using this command:
{code:bash}
git apply --check -v -p0 < OOZIE-3719-001.patch{code}
Could you please format your patch according to this description?
[https://cwiki.apache.org/confluence/display/OOZIE/How+To+Contribute]
{code:bash}
git diff --no-prefix {code}
Thank you
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Fix For: 5.3.0
>
> Attachments: OOZIE-3719-001.patch, image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17817246#comment-17817246
]
Hadoop QA commented on OOZIE-3719:
--
Testing JIRA OOZIE-3719
Cleaning local git workspace
{color:red}-1{color} Patch failed to apply to head of branch
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Fix For: 5.3.0
>
> Attachments: OOZIE-3719-001.patch, image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17817240#comment-17817240
]
Hadoop QA commented on OOZIE-3719:
--
PreCommit-OOZIE-Build started
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Fix For: 5.3.0
>
> Attachments: OOZIE-3719-001.patch, image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17794659#comment-17794659
]
Hadoop QA commented on OOZIE-3719:
--
Testing JIRA OOZIE-3719
Cleaning local git workspace
{color:red}-1{color} Patch failed to apply to head of branch
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Fix For: 5.3.0
>
> Attachments: OOZIE-3719-001.patch, image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17794655#comment-17794655
]
Hadoop QA commented on OOZIE-3719:
--
PreCommit-OOZIE-Build started
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Fix For: 5.3.0
>
> Attachments: OOZIE-3719-001.patch, image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17794647#comment-17794647
]
Dénes Bodó commented on OOZIE-3719:
---
[~SanjayKumarSahu] Please upload your patch with the following name
"OOZIE-3719-001.patch" and then push the "Submit Patch" button to start the
automated build and tests.
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png,
> oozie3719.patch
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3719) Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users
[
https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17793748#comment-17793748
]
Sanjay Kumar Sahu commented on OOZIE-3719:
--
PR link : https://github.com/apache/oozie/pull/92
> Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege
> Users Disrupting Access for Intended Users
> --
>
> Key: OOZIE-3719
> URL: https://issues.apache.org/jira/browse/OOZIE-3719
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 5.2.1
>Reporter: Sanjay Kumar Sahu
>Assignee: Sanjay Kumar Sahu
>Priority: Major
> Attachments: image-2023-09-15-02-47-52-819.png,
> image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png
>
>
> !image-2023-09-15-02-47-52-819.png!
>
> Looking further into the code focusing on the action and type query strings.
> We can see that the filter variable is getting its value from the
> requestsParameters .
> once the Filter parameter is being populated, an If loop checking whether
> Scope and Type are not Null and next
> the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is
> the action query string).
>
> Next the values of logRetrievalScope gets split by , and entering the the if
> loop.
> In the block where ranges of actions are processed ( if (s.contains("-")) \{
> ... } ), an attacker could potentially
> send a specially crafted request with a massive range, such as "1-100".
> This would create a for loop
> iterating and adding that many actions to the actionSet , consuming CPU and
> memory resources.
> Though there is a subsequent check against maxNumActionsForLog , this check
> only happens after all the iterations,
> allowing an attacker to consume resources before this check is made -
>
> !image-2023-09-15-02-52-09-320.png!
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
