[
https://issues.apache.org/jira/browse/CARBONDATA-3729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049326#comment-17049326
]
XuCongying commented on CARBONDATA-3729:
I found that the buggy methods of the CVEs are in the program execution path of
your project, which makes your project at risk. I have suggested some version
updates. Here is the detailed information:
* *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.2
* *Call Chain to Buggy Methods:*
** *Some files in your project call the library method
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String),
which can reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java
*** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration),
which can reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java,
core/src/main/java/org/apache/carbondata/core/datastore/impl/FileFactory.java
*** One of the possible call chain:
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.get(java.net.URI,org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.getDefaultUri(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.security.UserGroupInformation.getCurrentUser(), which can
reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/util/Auditor.java,
common/src/main/java/org/apache/carbondata/common/logging/LogService.java,
*** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getCurrentUser()
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.security.UserGroupInformation.getLoginUser(), which can reach
the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
core/src/main/java/org/apache/carbondata/core/util/CarbonUtil.java
*** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the
buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/jsoninput/JsonInputFormat.java,
core/src/main/java/org/apache/carbondata/core/datamap/DataMapUtil.java,
core/src/main/java/org/apache/carbondata/core/util/CarbonProperties.java
*** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs.
From 2.7.2 to 3.2.1, 20 of the APIs (called by 81 times in you