Hello Team, We had a query regarding below High and Critical vulnerability on Hadoop, could you please help here.
Query for below mentioned HIGH Vulnerability. We are having java based HDFS client which uses Hadoop-Common-3.3.3, Hadoop-hdfs-3.3.3 and Hadoop-hdfs-client-3.3.3 as it's dependency. Hadoop-Common and Hadoop-hdfs uses protobuf-java-2.5.0 as dependency. Hadoop-hdfs-client uses okhttp-2.7.5 as dependency We got the following high vulnerablilities in protobuf-java using "Anchore Grype" and in okhttp using "JFrog Xray". 1. Description : A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. 2. Description : OkHttp contains a flaw that is triggered during the handling of non-ASCII ETag headers. This may allow a remote attacker to crash a process linked against the library. 3. Description : OkHttp contains a flaw that is triggered during the reading of non-ASCII characters in HTTP/2 headers or in cached HTTP headers. This may allow a remote attacker to crash a process linked against the library. What is the impact of these vulnerablilities on HDFS client? If HDFS Client is impacted then what is the mitigation plan for that? Query for below mentioned CRITICAL Vulnerability. We are having java based HDFS client which uses Hadoop-Common-3.3.3 as it's dependency. in our application. Hadoop-Common-3.3.3 uses netty-codec-4.1.42.Final as deep dependency. We got the following critical vulnerablility in netty-codec using JFrog Xray. Description : Netty contains an overflow condition in the Lz4FrameEncoder::finishEncode() function in codec/src/main/java/io/netty/handler/codec/compression/Lz4FrameEncoder.java that is triggered when compressing data and writing the last header. This may allow an attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. What is the impact of this vulnerablility on HDFS client? If HDFS Client is impacted then what is the mitigation plan for that? Regards, Deepti Sharma PMP(r) & ITIL