okhttp was last updated in 2017
why use this over httpclient? its only used in a couple of places and
removing it entirely would make this problem go away forever
---------- Forwarded message ---------
From: Eugene Shinn (Truveta) (Jira) <j...@apache.org>
Date: Wed, 5 Jan 2022 at 19:48
Subject: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5
detected in hdfs-client
To: <common-...@hadoop.apache.org>
Eugene Shinn (Truveta) created HADOOP-18069:
-----------------------------------------------
Summary: CVE-2021-0341 in okhttp@2.7.5 detected in
hdfs-client
Key: HADOOP-18069
URL: https://issues.apache.org/jira/browse/HADOOP-18069
Project: Hadoop Common
Issue Type: Bug
Components: hdfs-client
Affects Versions: 3.3.1
Reporter: Eugene Shinn (Truveta)
Our static vulnerability scanner (Fortify On Demand) detected [NVD -
CVE-2021-0341 (nist.gov)|
https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] in
our application. We traced the vulnerability to a transitive dependency
coming from hadoop-hdfs-client, which depends on okhttp@2.7.5
([hadoop/pom.xml at trunk · apache/hadoop (github.com)|
https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref:
[CVE-2021-0341 · Issue #6724 · square/okhttp (github.com)|
https://github.com/square/okhttp/issues/6724]).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
