[jira] [Commented] (AMQ-6991) ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs against it.
[ https://issues.apache.org/jira/browse/AMQ-6991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16558970#comment-16558970 ] Albert Baker commented on AMQ-6991: --- Thanks Christopher ! > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > -- > > Key: AMQ-6991 > URL: https://issues.apache.org/jira/browse/AMQ-6991 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of > having even one high severity CVE in thier environment. The cost of > (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed > systems. >Reporter: Albert Baker >Priority: Blocker > > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm > Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate > token passwords using a 20-bit secret when Kerberos security features are > enabled, which > makes it easier for context-dependent attackers to crack secret keys via a > brute-force attack. > CONFIRM - > https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0 > MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with > Security fix > Vulnerable Software & Versions: (show all) > cpe:/a:apache:hadoop:1.0.0 > CVE-2017-3162 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-20 Improper Input Validation > HDFS clients interact with a servlet on the DataNode to browse the HDFS > namespace. The NameNode is provided as a query parameter that is not > validated in Apache > Hadoop before 2.7.0. > BID - 98017 > MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode > web UI vulnerability > Vulnerable Software & Versions: > cpe:/a:apache:hadoop:2.6.5 and all previous versions -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AMQ-6991) ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs against it.
[ https://issues.apache.org/jira/browse/AMQ-6991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16553682#comment-16553682 ] Albert Baker commented on AMQ-6991: --- Not so fast /activemq-leveldb-store/readme.md:works with Hadoop based file systems to achieve HA of your stored messages. ./activemq-leveldb-store/readme.md:**A:** An existing Hadoop 1.0.0 cluster ./activemq-leveldb-store/readme.md: ./activemq-leveldb-store/readme.md: Instead of using a 'dfsUrl' property you can instead also just load an existing Hadoop configuration file if it's available on your system, for example: ./activemq-leveldb-store/readme.md: ./activemq-leveldb-store/readme.md:**A:** It should be able to run with any Hadoop supported file system like CloudStore, S3, MapR, NFS, etc (Well at least in theory, I've only tested against HDFS). Either remove the hadoop feature, or fix the vulnerability, /please/ > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > -- > > Key: AMQ-6991 > URL: https://issues.apache.org/jira/browse/AMQ-6991 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of > having even one high severity CVE in thier environment. The cost of > (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed > systems. >Reporter: Albert Baker >Priority: Blocker > > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm > Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate > token passwords using a 20-bit secret when Kerberos security features are > enabled, which > makes it easier for context-dependent attackers to crack secret keys via a > brute-force attack. > CONFIRM - > https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0 > MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with > Security fix > Vulnerable Software & Versions: (show all) > cpe:/a:apache:hadoop:1.0.0 > CVE-2017-3162 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-20 Improper Input Validation > HDFS clients interact with a servlet on the DataNode to browse the HDFS > namespace. The NameNode is provided as a query parameter that is not > validated in Apache > Hadoop before 2.7.0. > BID - 98017 > MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode > web UI vulnerability > Vulnerable Software & Versions: > cpe:/a:apache:hadoop:2.6.5 and all previous versions -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AMQ-6991) ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs against it.
[ https://issues.apache.org/jira/browse/AMQ-6991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16553622#comment-16553622 ] Jamie goodyear commented on AMQ-6991: - The hadoop library is only used for testing LevelDB: ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/dfs/DFSLevelDBClient.scala ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/dfs/DFSLevelDBStore.scala ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/test/TestingHDFSServer.scala ./activemq-leveldb-store/src/test/scala/org/apache/activemq/leveldb/test/DFSLevelDBFastEnqueueTest.scala The impact of using that library in a unit test is minimal - I'd suggest we could close this card as not-an-issue. > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > -- > > Key: AMQ-6991 > URL: https://issues.apache.org/jira/browse/AMQ-6991 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of > having even one high severity CVE in thier environment. The cost of > (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed > systems. >Reporter: Albert Baker >Priority: Blocker > > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm > Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate > token passwords using a 20-bit secret when Kerberos security features are > enabled, which > makes it easier for context-dependent attackers to crack secret keys via a > brute-force attack. > CONFIRM - > https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0 > MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with > Security fix > Vulnerable Software & Versions: (show all) > cpe:/a:apache:hadoop:1.0.0 > CVE-2017-3162 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-20 Improper Input Validation > HDFS clients interact with a servlet on the DataNode to browse the HDFS > namespace. The NameNode is provided as a query parameter that is not > validated in Apache > Hadoop before 2.7.0. > BID - 98017 > MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode > web UI vulnerability > Vulnerable Software & Versions: > cpe:/a:apache:hadoop:2.6.5 and all previous versions -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (AMQ-6991) ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs against it.
[ https://issues.apache.org/jira/browse/AMQ-6991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16515786#comment-16515786 ] Albert Baker commented on AMQ-6991: --- "NameNode provided as a query parameter is not validated in Apache Hadoop before 2.7.0." 2.7.0 does not exist in maven central : [http://mvnrepository.com/artifact/org.apache.hadoop/hadoop-core] or maven cloudera : [http://mvnrepository.com/artifact/org.apache.hadoop/hadoop-core?repo=cloudera] > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > -- > > Key: AMQ-6991 > URL: https://issues.apache.org/jira/browse/AMQ-6991 > Project: ActiveMQ > Issue Type: Bug > Components: Broker >Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of > having even one high severity CVE in thier environment. The cost of > (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed > systems. >Reporter: Albert Baker >Priority: Blocker > > ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs > against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm > Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate > token passwords using a 20-bit secret when Kerberos security features are > enabled, which > makes it easier for context-dependent attackers to crack secret keys via a > brute-force attack. > CONFIRM - > https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0 > MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with > Security fix > Vulnerable Software & Versions: (show all) > cpe:/a:apache:hadoop:1.0.0 > CVE-2017-3162 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-20 Improper Input Validation > HDFS clients interact with a servlet on the DataNode to browse the HDFS > namespace. The NameNode is provided as a query parameter that is not > validated in Apache > Hadoop before 2.7.0. > BID - 98017 > MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode > web UI vulnerability > Vulnerable Software & Versions: > cpe:/a:apache:hadoop:2.6.5 and all previous versions -- This message was sent by Atlassian JIRA (v7.6.3#76005)
