[
https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15415769#comment-15415769
]
stack commented on HBASE-16267:
-------------------------------
bq.hbase doesn't import any sun.net.* classes - hadoop does.
You miss the point. It seems like HttpURLConnection is using httpclient as a
provider. Can you change that by setting a config on the JVM?
bq. If dependency is explicit, hbase codebase would still be vulnerable even
after upgrade.
Seems reasonable but I'd think that this reasoning on why we have references to
classes from jars with vulnerabilities should be written out in
code/poms/release notes. No one is going to look this far down in an issue to
figure why you did something.
> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>
> Key: HBASE-16267
> URL: https://issues.apache.org/jira/browse/HBASE-16267
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Priority: Critical
> Fix For: 2.0.0
>
> Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt,
> 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt,
> 16267.v8.txt, 16267.v9.txt
>
>
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the
> code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] | +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] | +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}
> HADOOP-12767
> to move the uses of httpclient HADOOP-10105
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 :
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents
> HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting
> during an SSL handshake, which allows remote attackers to cause a denial of
> service (HTTPS call hang) via unspecified vectors.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
> Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments
> Service (FPS) merchant Java SDK and other products, does not verify that the
> server hostname matches a domain name in the subject's Common Name (CN) or
> subjectAltName field of the X.509 certificate, which allows man-in-the-middle
> attackers to spoof SSL servers via an arbitrary valid certificate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
