[
https://issues.apache.org/jira/browse/HADOOP-16588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16939134#comment-16939134
]
Masatake Iwasaki commented on HADOOP-16588:
-------------------------------------------
{noformat}
[INFO] +- commons-configuration:commons-configuration:jar:1.6:compile
[INFO] | \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile
[INFO] +- commons-digester:commons-digester:jar:1.8:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
{noformat}
This is from dependency tree of hadoop-common with the patch applied.
commons-configuration depends on commons-beanutils-core. commons-beanutils-core
is dependency reduced commons-beanutils and was removed in BEANUTILS-379.
I think both commons-beanutils and commons-beanutils-core could be affected by
CVE-2019-10086 due to existence of relvant class.
{noformat}
$ jar tvf ./share/hadoop/common/lib/commons-beanutils-core-1.8.0.jar | grep
BeanUtilsBean.class
16336 Thu Aug 28 16:18:06 JST 2008
org/apache/commons/beanutils/BeanUtilsBean.class
12623 Thu Aug 28 16:18:06 JST 2008
org/apache/commons/beanutils/locale/LocaleBeanUtilsBean.class
$ jar tvf ./share/hadoop/common/lib/commons-beanutils-1.9.4.jar | grep
BeanUtilsBean.class
12870 Sun Jul 28 18:16:38 JST 2019
org/apache/commons/beanutils/locale/LocaleBeanUtilsBean.class
18035 Sun Jul 28 18:16:38 JST 2019
org/apache/commons/beanutils/BeanUtilsBean.class
{noformat}
commons-beanutils-core could be in front of commons-beanutils in the classpath.
{noformat}
$ bin/hadoop classpath --glob | sed -z 's/:/\n/g' | grep beanutils
/home/iwasakims/dist/hadoop-2.10.0-SNAPSHOT/share/hadoop/common/lib/commons-beanutils-core-1.8.0.jar
/home/iwasakims/dist/hadoop-2.10.0-SNAPSHOT/share/hadoop/common/lib/commons-beanutils-1.9.4.jar
/home/iwasakims/dist/hadoop-2.10.0-SNAPSHOT/share/hadoop/yarn/lib/commons-beanutils-core-1.8.0.jar
/home/iwasakims/dist/hadoop-2.10.0-SNAPSHOT/share/hadoop/yarn/lib/commons-beanutils-1.9.4.jar
{noformat}
> Update commons-beanutils version to 1.9.4 in branch-2
> -----------------------------------------------------
>
> Key: HADOOP-16588
> URL: https://issues.apache.org/jira/browse/HADOOP-16588
> Project: Hadoop Common
> Issue Type: Task
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Priority: Critical
> Labels: release-blocker
> Attachments: HADOOP-16588.branch-2.001.patch
>
>
> Similar to HADOOP-16542 but we need to do it differently.
> In branch-2, we pull in commons-beanutils through commons-configuration 1.6
> --> commons-digester 1.8
> {noformat}
> [INFO] +- commons-configuration:commons-configuration:jar:1.6:compile
> [INFO] | +- commons-digester:commons-digester:jar:1.8:compile
> [INFO] | | \- commons-beanutils:commons-beanutils:jar:1.7.0:compile
> [INFO] | \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile
> {noformat}
> I have a patch to update version of the transitive dependency.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
