Hello Team,
We had a query regarding below High and Critical vulnerability on Hadoop, could
you please help here.
Query for below mentioned HIGH Vulnerability.
We are having java based HDFS client which uses Hadoop-Common-3.3.3,
Hadoop-hdfs-3.3.3 and Hadoop-hdfs-client-3.3.3 as it's dependency.
Hadoop-Common and Hadoop-hdfs uses protobuf-java-2.5.0 as dependency.
Hadoop-hdfs-client uses okhttp-2.7.5 as dependency
We got the following high vulnerablilities in protobuf-java using "Anchore
Grype" and in okhttp using "JFrog Xray".
1. Description : A parsing issue with binary data in protobuf-java core and
lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial
of service attack.
Inputs containing multiple instances of non-repeated embedded
messages with repeated or unknown fields causes objects to be converted
back-n-forth between mutable and immutable forms,
resulting in potentially long garbage collection pauses. We
recommend updating to the versions mentioned above.
2. Description : OkHttp contains a flaw that is triggered during the handling
of non-ASCII ETag headers. This may allow a remote attacker to crash a process
linked against the library.
3. Description : OkHttp contains a flaw that is triggered during the reading of
non-ASCII characters in HTTP/2 headers or in cached HTTP headers. This may
allow a remote attacker to crash a process linked against the library.
What is the impact of these vulnerablilities on HDFS client?
If HDFS Client is impacted then what is the mitigation plan for that?
Query for below mentioned CRITICAL Vulnerability.
We are having java based HDFS client which uses Hadoop-Common-3.3.3 as it's
dependency. in our application.
Hadoop-Common-3.3.3 uses netty-codec-4.1.42.Final as deep dependency.
We got the following critical vulnerablility in netty-codec using JFrog Xray.
Description : Netty contains an overflow condition in the
Lz4FrameEncoder::finishEncode() function in
codec/src/main/java/io/netty/handler/codec/compression/Lz4FrameEncoder.java
that is triggered when compressing data and writing the last header.
This may allow an attacker to cause a buffer overflow, resulting in a denial of
service or potentially allowing the execution of arbitrary code.
What is the impact of this vulnerablility on HDFS client?
If HDFS Client is impacted then what is the mitigation plan for that?
Regards,
Deepti Sharma
PMP(r) & ITIL
