[jira] [Updated] (HDFS-16766) hdfs ec command loads (administrator provided) erasure code policy files without disabling xml entity expansion

[Steve Loughran (Jira)]

     [ 
https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Loughran updated HDFS-16766:
----------------------------------
    Description: 
XML External Entity (XXE) attacks can occur when an XML parser supports XML 
entities while processing XML received from an untrusted source. The attack 
resides in XML input containing references to an external entity an is parsed 
by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.

 

https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93

h3. sonatype-2022-5732

If anyone is landing on this page following the sonatype-2022-5732 alert
# the xml expansion only happens on the command line of the {{hdfs ec}} command 
https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html#Administrative_commands
# the outcome of entity expansion will be the command failing/running out of 
memory
# if a cluster admin is loading erasure policies from untrusted sources, there 
are fundamental process issues to worry about beyond xml references

bq. hdfs cluster administrators who receive XML erasure coding policies from 
untrusted sources (email etc) must sanitize the file by removing all &entity; 
references before using the "hdfs ec" command. otherwise the tool will fail 
before it has a chance to apply whatever the malicious EC policy was. 
Alternatively: do not configure your hadoop cluster from XML files you haven't 
written yourself.

  was:
XML External Entity (XXE) attacks can occur when an XML parser supports XML 
entities while processing XML received from an untrusted source. The attack 
resides in XML input containing references to an external entity an is parsed 
by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.

 

https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93

h3. sonatype-2022-5732

If anyone is landing on this page following the sonatype-2022-5732 alert
# the xml expansion only happens on the command line of the {{hdfs ec)) command 
https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html#Administrative_commands
# the outcome of entity expansion will be the command failing/running out of 
memory
# if a cluster admin is loading erasure policies from untrusted sources, there 
are fundamental process issues to worry about beyond xml references

bq. hdfs cluster administrators who receive XML erasure coding policies from 
untrusted sources (email etc) must sanitize the file by removing all &entity; 
references before using the "hdfs ec" command. otherwise the tool will fail 
before it has a chance to apply whatever the malicious EC policy was. 
Alternatively: do not configure your hadoop cluster from XML files you haven't 
written yourself.


> hdfs ec command loads (administrator provided) erasure code policy files 
> without disabling xml entity expansion
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-16766
>                 URL: https://issues.apache.org/jira/browse/HDFS-16766
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.4
>            Reporter: Jing
>            Assignee: Ashutosh Gupta
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0, 3.3.5, 3.2.5
>
>
> XML External Entity (XXE) attacks can occur when an XML parser supports XML 
> entities while processing XML received from an untrusted source. The attack 
> resides in XML input containing references to an external entity an is parsed 
> by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.
>  
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93
> h3. sonatype-2022-5732
> If anyone is landing on this page following the sonatype-2022-5732 alert
> # the xml expansion only happens on the command line of the {{hdfs ec}} 
> command 
> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html#Administrative_commands
> # the outcome of entity expansion will be the command failing/running out of 
> memory
> # if a cluster admin is loading erasure policies from untrusted sources, 
> there are fundamental process issues to worry about beyond xml references
> bq. hdfs cluster administrators who receive XML erasure coding policies from 
> untrusted sources (email etc) must sanitize the file by removing all &entity; 
> references before using the "hdfs ec" command. otherwise the tool will fail 
> before it has a chance to apply whatever the malicious EC policy was. 
> Alternatively: do not configure your hadoop cluster from XML files you 
> haven't written yourself.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org