[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

Thu, 28 Apr 2022 08:09:08 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=763576&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-763576
 ]

ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 28/Apr/22 15:08
            Start Date: 28/Apr/22 15:08
    Worklog Time Spent: 10m 
      Work Description: aajisaka commented on code in PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#discussion_r861007436


##########
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/ConfRefreshTokenBasedAccessTokenProvider.java:
##########
@@ -103,36 +104,39 @@ public synchronized String getAccessToken() throws 
IOException {
 
   void refresh() throws IOException {
     try {
-      OkHttpClient client = new OkHttpClient();
-      client.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT,
-          TimeUnit.MILLISECONDS);
-      client.setReadTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT,
-                TimeUnit.MILLISECONDS);
+      OkHttpClient client =
+          new 
OkHttpClient.Builder().connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT,
+                  TimeUnit.MILLISECONDS)
+              .readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
+              .build();

Review Comment:
   Cool. Sorry my comment was wrong.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 763576)
    Time Spent: 3.5h  (was: 3h 20m)

> CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client  
> -------------------------------------------------------
>
>                 Key: HADOOP-18069
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18069
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hdfs-client
>    Affects Versions: 3.3.1
>            Reporter: Eugene Shinn (Truveta)
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 3.5h
>  Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD - 
> CVE-2021-0341 
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
>  in our application. We traced the vulnerability to a transitive dependency 
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 
> ([hadoop/pom.xml at trunk · apache/hadoop 
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
>  To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: 
> [CVE-2021-0341 · Issue #6724 · square/okhttp 
> (github.com)|https://github.com/square/okhttp/issues/6724]).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to