Per the guidance on the HBase book preface[1], I'll forward Barani's
question to the HBase private list. I'd kindly request no further
communication here until the question can be properly evaluated.
Thanks.
[1] https://hbase.apache.org/book.html#_preface
On 3/10/20 1:07 PM, Barani Bikshandi wrote:
I was notified of a security issue recently in the below package. Is there a
plan to fix this vulnerability in near future?
Risk Name
Weakly Configured XML External Entity for Java JAXBContext
Vulnerability
An attacker can inject untrusted data into applications which may result in the
disclosure of confidential data, denial of service, server side request
forgeries or port scanning.
Code:
/hbase/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/client/RemoteAdmin.java
Mitigation:
We require that XML processors need to be configured properly to prevent XXE
(XML External Entity) attack when an application handles data from untrusted
source.