thanks for getting in touch neither of these branches are maintained; they are in the end of life list https://cwiki.apache.org/confluence/display/HADOOP/EOL+%28End-of-life%29+Release+Branches
Our policy regarding any security issue in those branches is: 1. upgrade to a supported release, ideally the latest release of the hadoop 3 line, which is currently 3.2.1 2. See if the problem is still there all your customer should upgrade to a maintained version - not just to get fixes in our code, but to get fixes in libraries which we ourselves depend upon. Special callout to jackson there. regarding the specific CVEs, i believe both were fixed in https://issues.apache.org/jira/browse/HDFS-6252 *Phase out the old web UI in HDFS* hope this helps On Thu, 4 Jun 2020 at 11:55, Daniel Elkabes < daniel.elka...@whitesourcesoftware.com> wrote: > Dear Hadoop, > > My name is Daniel Elkabes, I'm the lead security researcher at > WhiteSource. WhiteSource offers a solution for managing open source > software security and features a vast database of reported security > vulnerabilities that is consulted daily by clients worldwide. > > As part of our research we tried to find vulnerable elements for certain > CVEs. Two of them are: CVE-2017-3161 and CVE-2017-3162. > > During the research we realized there is a problem determining the exact > vulnerable elements. We have correlated information from online sources in > order to find the relevant class/file/method. > > The researched versions for both of the CVEs are: 2.6.5 (vulnerable) and > 2.7.0 (fixed) > > We have found some elements for CVE-2017-3161 and CVE-2017-3162 although > we still lack conclusive evidence. Here's what we have found: > > As for *CVE-2017-3161*, we have found the following elements: > > location: > \hadoop-2.7.0-src\hadoop-hdfs-project\hadoop-hdfs\src\main\java\org\apache\hadoop\hdfs\server\namenode\NameNode.java > > *class: NameNode* > > *methods:* > *getServiceAddress(Configuration conf, boolean fallback) ; > getHttpAddress(Configuration conf)* > > > It seems that the HTTP address is directly constructed from the user's > input. The fix (version 2.7.0) is performed by trimming the address. It's > not a full mitigation to a XSS attack, thus we are not entirely sure > whether these elements are the ones attached to CVE-2017-3161. > ____ > > As for *CVE-2017-3162*, we found the following elements: > > location: > \hadoop-2.6.0-src\hadoop-hdfs-project\hadoop-hdfs\src\main\java\org\apache\hadoop\hdfs\server\datanode\DataNode.java > > *class: DataNode* > > *methods: startInfoServer(Configuration conf)* > > > We are not entirely sure whether these elements are the ones related to > CVE-2017-3162. > > As a last resort, we are contacting you as the main maintainer of the > project to see what you think about this CVE and if you have any input to > give us. > We will really appreciate any additional information that you can give us, > as we want to let our clients and the community understand it better. > > Sincerely, > > -- > > > > *Daniel Elkabes* > Sr.Security Researcher > > www.WhiteSourceSoftware.com <https://www.whitesourcesoftware.com/> > > > [image: LinkedIn icon] <https://www.linkedin.com/in/danielelkabes> [image: > Twitter icon] <https://twitter.com/danielelkabes> > >
