[ https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steve Loughran updated HDFS-16766: ---------------------------------- Description: XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. The attack resides in XML input containing references to an external entity an is parsed by the weakly configured javax.xml.parsers.DocumentBuilder XML parser. https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93 h3. sonatype-2022-5732 If anyone is landing on this page following the sonatype-2022-5732 alert # the xml expansion only happens on the command line of the {{hdfs ec)) command https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html#Administrative_commands # the outcome of entity expansion will be the command failing/running out of memory # if you cluster admin is loading erasure policies from untrusted sources, there are fundamental process issues to worry about beyond xml references was: XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. The attack resides in XML input containing references to an external entity an is parsed by the weakly configured javax.xml.parsers.DocumentBuilder XML parser. https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93 > XML External Entity (XXE) attacks can occur while processing XML received > from an untrusted source > -------------------------------------------------------------------------------------------------- > > Key: HDFS-16766 > URL: https://issues.apache.org/jira/browse/HDFS-16766 > Project: Hadoop HDFS > Issue Type: Bug > Components: security > Affects Versions: 3.3.4 > Reporter: Jing > Assignee: Ashutosh Gupta > Priority: Major > Labels: pull-request-available > Fix For: 3.4.0, 3.3.5, 3.2.5 > > > XML External Entity (XXE) attacks can occur when an XML parser supports XML > entities while processing XML received from an untrusted source. The attack > resides in XML input containing references to an external entity an is parsed > by the weakly configured javax.xml.parsers.DocumentBuilder XML parser. > > https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93 > h3. sonatype-2022-5732 > If anyone is landing on this page following the sonatype-2022-5732 alert > # the xml expansion only happens on the command line of the {{hdfs ec)) > command > https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html#Administrative_commands > # the outcome of entity expansion will be the command failing/running out of > memory > # if you cluster admin is loading erasure policies from untrusted sources, > there are fundamental process issues to worry about beyond xml references -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org