hadoop-client-2.7.3.jar: 44 vulnerabilities (highest severity is: 9.3)

[dev-mend-for-github-com]

Vulnerable Library - hadoop-client-2.7.3.jar

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.2.5/httpclient-4.2.5.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (hadoop-client version)	Remediation Possible**	Reachability
CVE-2022-26612	Critical	9.3	hadoop-common-2.7.3.jar	Transitive	N/A*	❌
CVE-2022-23305	Critical	9.3	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2019-20444	Critical	9.3	detected in multiple dependencies	Transitive	2.7.4	✅
CVE-2019-17571	Critical	9.3	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-25168	Critical	9.2	hadoop-common-2.7.3.jar	Transitive	2.7.4	✅
CVE-2020-9493	Critical	9.2	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2019-20445	Critical	9.1	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2023-26464	High	8.7	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-3509	High	8.7	protobuf-java-2.5.0.jar	Transitive	2.7.4	✅
CVE-2022-23307	High	8.7	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2022-23302	High	8.7	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2021-22569	High	8.7	protobuf-java-2.5.0.jar	Transitive	2.7.4	✅
CVE-2020-9492	High	8.7	hadoop-hdfs-2.7.3.jar	Transitive	2.7.4	✅
CVE-2020-7238	High	8.7	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2019-16869	High	8.7	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2018-8009	High	8.7	hadoop-common-2.7.3.jar	Transitive	2.7.4	✅
CVE-2018-11768	High	8.7	hadoop-hdfs-2.7.3.jar	Transitive	2.7.4	✅
CVE-2016-4970	High	8.7	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2015-2156	High	8.7	detected in multiple dependencies	Transitive	2.7.4	✅
CVE-2014-3488	High	8.7	netty-3.6.2.Final.jar	Transitive	2.7.4	✅
CVE-2012-0881	High	8.7	xercesImpl-2.9.1.jar	Transitive	2.7.4	✅
CVE-2017-3166	High	8.5	hadoop-mapreduce-client-core-2.7.3.jar	Transitive	2.7.4	✅
CVE-2021-21409	High	8.2	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2021-21295	High	8.2	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2018-10237	High	8.2	guava-12.0.1.jar	Transitive	2.7.4	✅
CVE-2013-4002	High	8.2	xercesImpl-2.9.1.jar	Transitive	2.7.4	✅
CVE-2018-8029	High	7.7	hadoop-common-2.7.3.jar	Transitive	2.7.4	✅
WS-2020-0408	High	7.4	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
WS-2016-7071	High	7.1	hadoop-common-2.7.3.jar	Transitive	2.7.4	✅
CVE-2021-43797	High	7.1	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2017-15713	High	7.1	hadoop-common-2.7.3.jar	Transitive	2.7.4	✅
CVE-2021-21290	Medium	6.9	netty-all-4.0.23.Final.jar	Transitive	2.7.4	✅
CVE-2020-14338	Medium	6.9	xercesImpl-2.9.1.jar	Transitive	2.7.4	✅
CVE-2020-13956	Medium	6.9	httpclient-4.2.5.jar	Transitive	N/A*	❌
CVE-2019-10086	Medium	6.9	detected in multiple dependencies	Transitive	2.7.4	✅
CVE-2014-0193	Medium	6.9	netty-3.6.2.Final.jar	Transitive	2.7.4	✅
CVE-2009-2625	Medium	6.9	xercesImpl-2.9.1.jar	Transitive	2.7.4	✅
CVE-2020-9488	Medium	6.3	log4j-1.2.17.jar	Transitive	N/A*	❌
CVE-2014-3577	Medium	6.3	httpclient-4.2.5.jar	Transitive	2.7.4	✅
CVE-2014-0114	Medium	6.3	detected in multiple dependencies	Transitive	2.7.4	✅
CVE-2012-5783	Medium	6.3	commons-httpclient-3.1.jar	Transitive	2.7.4	✅
WS-2017-3734	Medium	5.3	httpclient-4.2.5.jar	Transitive	2.7.4	✅
CVE-2022-3171	Medium	5.3	protobuf-java-2.5.0.jar	Transitive	2.7.4	✅
CVE-2020-8908	Medium	4.8	guava-12.0.1.jar	Transitive	2.7.4	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-26612

Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • ❌ hadoop-common-2.7.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3

Publish Date: 2022-04-07

URL: CVE-2022-26612

CVSS 4 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612

Release Date: 2022-04-07

Fix Resolution: org.apache.hadoop:hadoop-common:3.2.3

CVE-2022-23305

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 4 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2019-20444

Vulnerable Libraries - netty-3.6.2.Final.jar, netty-all-4.0.23.Final.jar

netty-3.6.2.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • hadoop-auth-2.7.3.jar
      • zookeeper-3.4.6.jar
        • ❌ netty-3.6.2.Final.jar (Vulnerable Library)

netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 4 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution (io.netty:netty): 4.0.0.Alpha1

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

Fix Resolution (io.netty:netty-all): 4.0.0.Alpha1

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-17571

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 4 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: test

Release Date: 2019-12-20

Fix Resolution: test

CVE-2022-25168

Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • ❌ hadoop-common-2.7.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

Publish Date: 2022-08-04

URL: CVE-2022-25168

CVSS 4 Score Details (9.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130

Release Date: 2022-08-04

Fix Resolution (org.apache.hadoop:hadoop-common): 2.10.2

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9493

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 4 Score Details (9.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2019-20445

Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Publish Date: 2020-01-29

URL: CVE-2019-20445

CVSS 4 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Release Date: 2020-01-29

Fix Resolution (io.netty:netty-all): 4.1.44.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26464

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

CVE-2022-3509

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://code.google.com/p/protobuf

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-11-01

URL: CVE-2022-3509

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23307

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-23302

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2021-22569

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://code.google.com/p/protobuf

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-07

URL: CVE-2021-22569

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9492

Vulnerable Library - hadoop-hdfs-2.7.3.jar

Apache Hadoop HDFS

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • ❌ hadoop-hdfs-2.7.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

Publish Date: 2021-01-26

URL: CVE-2020-9492

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E

Release Date: 2021-01-26

Fix Resolution (org.apache.hadoop:hadoop-hdfs): 2.10.1

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7238

Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Publish Date: 2020-01-27

URL: CVE-2020-7238

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-27

Fix Resolution (io.netty:netty-all): 4.1.44.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-16869

Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Publish Date: 2019-09-26

URL: CVE-2019-16869

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869

Release Date: 2019-09-26

Fix Resolution (io.netty:netty-all): 4.1.42.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-8009

Vulnerable Library - hadoop-common-2.7.3.jar

Apache Hadoop Common

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.3/hadoop-common-2.7.3.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • ❌ hadoop-common-2.7.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

Publish Date: 2018-11-13

URL: CVE-2018-8009

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1593018

Release Date: 2018-11-13

Fix Resolution (org.apache.hadoop:hadoop-common): 2.7.4

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11768

Vulnerable Library - hadoop-hdfs-2.7.3.jar

Apache Hadoop HDFS

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.3/hadoop-hdfs-2.7.3.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • ❌ hadoop-hdfs-2.7.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

Publish Date: 2019-10-04

URL: CVE-2018-11768

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E

Release Date: 2019-10-04

Fix Resolution (org.apache.hadoop:hadoop-hdfs): 2.8.5

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-4970

Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

Publish Date: 2017-04-13

URL: CVE-2016-4970

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970

Release Date: 2017-04-13

Fix Resolution (io.netty:netty-all): 4.0.37.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-2156

Vulnerable Libraries - netty-3.6.2.Final.jar, netty-all-4.0.23.Final.jar

netty-3.6.2.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • hadoop-auth-2.7.3.jar
      • zookeeper-3.4.6.jar
        • ❌ netty-3.6.2.Final.jar (Vulnerable Library)

netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Publish Date: 2017-10-18

URL: CVE-2015-2156

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156

Release Date: 2017-10-18

Fix Resolution (io.netty:netty): 3.9.8.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

Fix Resolution (io.netty:netty-all): 3.9.8.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-3488

Vulnerable Library - netty-3.6.2.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.6.2.Final/netty-3.6.2.Final.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-common-2.7.3.jar
    • hadoop-auth-2.7.3.jar
      • zookeeper-3.4.6.jar
        • ❌ netty-3.6.2.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Publish Date: 2014-07-31

URL: CVE-2014-3488

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488

Release Date: 2014-07-31

Fix Resolution (io.netty:netty): 3.9.2.Final

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2012-0881

Vulnerable Library - xercesImpl-2.9.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-hdfs-2.7.3.jar
    • ❌ xercesImpl-2.9.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

Release Date: 2017-10-30

Fix Resolution (xerces:xercesImpl): 2.12.0

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-3166

Vulnerable Library - hadoop-mapreduce-client-core-2.7.3.jar

Apache Hadoop Project POM

Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-mapreduce-client-core/2.7.3/hadoop-mapreduce-client-core-2.7.3.jar

Dependency Hierarchy:

• hadoop-client-2.7.3.jar (Root Library)
  • hadoop-mapreduce-client-app-2.7.3.jar
    • hadoop-mapreduce-client-common-2.7.3.jar
      • ❌ hadoop-mapreduce-client-core-2.7.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

Publish Date: 2017-11-08

URL: CVE-2017-3166

CVSS 4 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166

Release Date: 2017-11-08

Fix Resolution (org.apache.hadoop:hadoop-mapreduce-client-core): 2.7.4

Direct dependency fix Resolution (org.apache.hadoop:hadoop-client): 2.7.4

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.