[
https://issues.apache.org/jira/browse/HBASE-28520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17885257#comment-17885257
]
Istvan Toth commented on HBASE-28520:
-------------------------------------
commons-configuration2 is a dependency leak from the Hadoop Metrics API, there
is no good reason to use that in a public(ish) API in Hadoop.
We'd should add a new method to Hadoop that does not leak
commons-configuration2 (though that would only help in the far future)
> CVE-2024-29131 resolution
> -------------------------
>
> Key: HBASE-28520
> URL: https://issues.apache.org/jira/browse/HBASE-28520
> Project: HBase
> Issue Type: Bug
> Reporter: Ashwini Soni
> Priority: Major
>
> The CVE-2024-29131 is related to the package
> org.apache.commons:commons-configuration2. The current version used is 2.1.1.
> This needs to be upgraded to 2.10.1.
> I tried upgrading it. When commons-configuration2 is upgraded to 2.10.1 then
> the below error occurs in hbase-master:
>
>
>
> Exception in thread "main" java.lang.NoSuchMethodError:
> org.apache.commons.text.lookup.StringLookupFactory.base64DecoderStringLookup()Lorg/apache/commons/text/lookup/StringLookup;
> at
> org.apache.commons.configuration2.interpol.DefaultLookups.<clinit>(DefaultLookups.java:68)
> at
> org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder.createDefaultLookups(ConfigurationInterpolator.java:647)
> at
> org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder.<init>(ConfigurationInterpolator.java:627)
> at
> org.apache.commons.configuration2.interpol.ConfigurationInterpolator$DefaultPrefixLookupsHolder.<clinit>(ConfigurationInterpolator.java:614)
> at
> org.apache.commons.configuration2.interpol.ConfigurationInterpolator.getDefaultPrefixLookups(ConfigurationInterpolator.java:290)
> at
> org.apache.commons.configuration2.AbstractConfiguration.installDefaultInterpolator(AbstractConfiguration.java:378)
> at
> org.apache.commons.configuration2.AbstractConfiguration.<init>(AbstractConfiguration.java:125)
> at
> org.apache.commons.configuration2.BaseConfiguration.<init>(BaseConfiguration.java:36)
> at
> org.apache.commons.configuration2.PropertiesConfiguration.<init>(PropertiesConfiguration.java:1060)
> at
> org.apache.hadoop.metrics2.impl.MetricsConfig.loadFirst(MetricsConfig.java:114)
> at
> org.apache.hadoop.metrics2.impl.MetricsConfig.create(MetricsConfig.java:97)
> at
> org.apache.hadoop.metrics2.impl.MetricsSystemImpl.configure(MetricsSystemImpl.java:482)
> at
> org.apache.hadoop.metrics2.impl.MetricsSystemImpl.start(MetricsSystemImpl.java:188)
> at
> org.apache.hadoop.metrics2.impl.MetricsSystemImpl.init(MetricsSystemImpl.java:163)
> at
> org.apache.hadoop.metrics2.lib.DefaultMetricsSystem.init(DefaultMetricsSystem.java:62)
> at
> org.apache.hadoop.metrics2.lib.DefaultMetricsSystem.initialize(DefaultMetricsSystem.java:58)
> at
> org.apache.hadoop.hbase.metrics.BaseSourceImpl$DefaultMetricsSystemInitializer.init(BaseSourceImpl.java:54)
> at
> org.apache.hadoop.hbase.metrics.BaseSourceImpl.<init>(BaseSourceImpl.java:112)
> at
> org.apache.hadoop.hbase.metrics.ExceptionTrackingSourceImpl.<init>(ExceptionTrackingSourceImpl.java:47)
> at
> org.apache.hadoop.hbase.thrift.MetricsThriftServerSourceImpl.<init>(MetricsThriftServerSourceImpl.java:54)
> at
> org.apache.hadoop.hbase.thrift.MetricsThriftServerSourceFactoryImpl.createThriftOneSource(MetricsThriftServerSourceFactoryImpl.java:43)
> at
> org.apache.hadoop.hbase.thrift.ThriftMetrics.<init>(ThriftMetrics.java:75)
> at
> org.apache.hadoop.hbase.thrift.ThriftServer.createThriftMetrics(ThriftServer.java:200)
> at
> org.apache.hadoop.hbase.thrift.ThriftServer.setupParamters(ThriftServer.java:228)
> at
> org.apache.hadoop.hbase.thrift.ThriftServer.run(ThriftServer.java:830)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
> at
> org.apache.hadoop.hbase.thrift.ThriftServer.main(ThriftServer.java:861)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
