You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
❌ hadoop-common-2.7.3.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ log4j-1.2.17.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
hadoop-auth-2.7.3.jar
zookeeper-3.4.6.jar
❌ netty-3.6.2.Final.jar (Vulnerable Library)
netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ netty-all-4.0.23.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ log4j-1.2.17.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
❌ hadoop-common-2.7.3.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ netty-all-4.0.23.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ log4j-1.2.17.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ protobuf-java-2.5.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ log4j-1.2.17.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ log4j-1.2.17.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
❌ protobuf-java-2.5.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
❌ hadoop-hdfs-2.7.3.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ netty-all-4.0.23.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ netty-all-4.0.23.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
❌ hadoop-common-2.7.3.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
❌ hadoop-hdfs-2.7.3.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ netty-all-4.0.23.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
hadoop-auth-2.7.3.jar
zookeeper-3.4.6.jar
❌ netty-3.6.2.Final.jar (Vulnerable Library)
netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ netty-all-4.0.23.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-common-2.7.3.jar
hadoop-auth-2.7.3.jar
zookeeper-3.4.6.jar
❌ netty-3.6.2.Final.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
Dependency Hierarchy:
hadoop-client-2.7.3.jar (Root Library)
hadoop-hdfs-2.7.3.jar
❌ xercesImpl-2.9.1.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-mapreduce-client-core/2.7.3/hadoop-mapreduce-client-core-2.7.3.jar
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
Vulnerable Library - hadoop-client-2.7.3.jar
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-26612
Vulnerable Library - hadoop-common-2.7.3.jar
Apache Hadoop Common
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Publish Date: 2022-04-07
URL: CVE-2022-26612
CVSS 4 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612
Release Date: 2022-04-07
Fix Resolution: org.apache.hadoop:hadoop-common:3.2.3
CVE-2022-23305
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
CVSS 4 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
CVE-2019-20444
Vulnerable Libraries - netty-3.6.2.Final.jar, netty-all-4.0.23.Final.jar
netty-3.6.2.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
Dependency Hierarchy:
netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
CVSS 4 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution (io.netty:netty): 4.0.0.Alpha1
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
Fix Resolution (io.netty:netty-all): 4.0.0.Alpha1
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-17571
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
CVSS 4 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: test
Release Date: 2019-12-20
Fix Resolution: test
CVE-2022-25168
Vulnerable Library - hadoop-common-2.7.3.jar
Apache Hadoop Common
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Publish Date: 2022-08-04
URL: CVE-2022-25168
CVSS 4 Score Details (9.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Release Date: 2022-08-04
Fix Resolution (org.apache.hadoop:hadoop-common): 2.10.2
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9493
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
CVSS 4 Score Details (9.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2019-20445
Vulnerable Library - netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
CVSS 4 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution (io.netty:netty-all): 4.1.44.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-26464
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
CVE-2022-3509
Vulnerable Library - protobuf-java-2.5.0.jar
Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: http://code.google.com/p/protobuf
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-01
URL: CVE-2022-3509
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-23307
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23302
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2021-22569
Vulnerable Library - protobuf-java-2.5.0.jar
Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: http://code.google.com/p/protobuf
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-07
URL: CVE-2021-22569
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9492
Vulnerable Library - hadoop-hdfs-2.7.3.jar
Apache Hadoop HDFS
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
Publish Date: 2021-01-26
URL: CVE-2020-9492
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E
Release Date: 2021-01-26
Fix Resolution (org.apache.hadoop:hadoop-hdfs): 2.10.1
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7238
Vulnerable Library - netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Publish Date: 2020-01-27
URL: CVE-2020-7238
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-27
Fix Resolution (io.netty:netty-all): 4.1.44.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-16869
Vulnerable Library - netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution (io.netty:netty-all): 4.1.42.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-8009
Vulnerable Library - hadoop-common-2.7.3.jar
Apache Hadoop Common
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
Publish Date: 2018-11-13
URL: CVE-2018-8009
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1593018
Release Date: 2018-11-13
Fix Resolution (org.apache.hadoop:hadoop-common): 2.7.4
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-11768
Vulnerable Library - hadoop-hdfs-2.7.3.jar
Apache Hadoop HDFS
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
Publish Date: 2019-10-04
URL: CVE-2018-11768
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E
Release Date: 2019-10-04
Fix Resolution (org.apache.hadoop:hadoop-hdfs): 2.8.5
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-4970
Vulnerable Library - netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
Publish Date: 2017-04-13
URL: CVE-2016-4970
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970
Release Date: 2017-04-13
Fix Resolution (io.netty:netty-all): 4.0.37.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2015-2156
Vulnerable Libraries - netty-3.6.2.Final.jar, netty-all-4.0.23.Final.jar
netty-3.6.2.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
Dependency Hierarchy:
netty-all-4.0.23.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Publish Date: 2017-10-18
URL: CVE-2015-2156
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
Release Date: 2017-10-18
Fix Resolution (io.netty:netty): 3.9.8.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
Fix Resolution (io.netty:netty-all): 3.9.8.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2014-3488
Vulnerable Library - netty-3.6.2.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Publish Date: 2014-07-31
URL: CVE-2014-3488
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488
Release Date: 2014-07-31
Fix Resolution (io.netty:netty): 3.9.2.Final
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2012-0881
Vulnerable Library - xercesImpl-2.9.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution (xerces:xercesImpl): 2.12.0
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-3166
Vulnerable Library - hadoop-mapreduce-client-core-2.7.3.jar
Apache Hadoop Project POM
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-mapreduce-client-core/2.7.3/hadoop-mapreduce-client-core-2.7.3.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
Publish Date: 2017-11-08
URL: CVE-2017-3166
CVSS 4 Score Details (8.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166
Release Date: 2017-11-08
Fix Resolution (org.apache.hadoop:hadoop-mapreduce-client-core): 2.7.4
Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: