Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HADOOP-18354: Upgrade reload4j to 1.22.2 due to XXE vulnerability #4607

Merged
merged 2 commits into from
Jul 24, 2022
Merged

HADOOP-18354: Upgrade reload4j to 1.22.2 due to XXE vulnerability #4607

merged 2 commits into from
Jul 24, 2022

Conversation

pjfanning
Copy link
Contributor

Description of PR

XXE issue in reload4j (probably not very exploitable)

How was this patch tested?

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@pjfanning pjfanning changed the base branch from trunk to branch-3.3 July 21, 2022 22:37
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 7m 36s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+0 🆗 xmllint 0m 0s xmllint was not available.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ branch-3.3 Compile Tests _
+0 🆗 mvndep 14m 43s Maven dependency ordering for branch
+1 💚 mvninstall 23m 45s branch-3.3 passed
+1 💚 compile 17m 38s branch-3.3 passed
+1 💚 mvnsite 20m 0s branch-3.3 passed
+1 💚 javadoc 7m 19s branch-3.3 passed
+1 💚 shadedclient 29m 49s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 33s Maven dependency ordering for patch
+1 💚 mvninstall 21m 44s the patch passed
+1 💚 compile 17m 1s the patch passed
+1 💚 javac 17m 1s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 19m 23s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 6m 41s the patch passed
+1 💚 shadedclient 30m 4s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 696m 45s /patch-unit-root.txt root in the patch passed.
+1 💚 asflicense 1m 33s The patch does not generate ASF License warnings.
903m 28s
Reason Tests
Failed junit tests hadoop.hdfs.server.federation.router.TestRouterRpc
hadoop.hdfs.server.federation.router.TestRouterRpcMultiDestination
hadoop.hdfs.server.blockmanagement.TestUnderReplicatedBlocks
hadoop.hdfs.server.datanode.TestBPOfferService
hadoop.yarn.server.resourcemanager.reservation.TestCapacityOverTimePolicy
hadoop.yarn.server.resourcemanager.scheduler.fair.TestFairSchedulerOvercommit
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4607/1/artifact/out/Dockerfile
GITHUB PR #4607
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux 711c380b1131 4.15.0-169-generic #177-Ubuntu SMP Thu Feb 3 10:50:38 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision branch-3.3 / 4615639
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~18.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4607/1/testReport/
Max. process+thread count 3134 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4607/1/console
versions git=2.17.1 maven=3.6.0 shellcheck=0.4.6
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

ayushtkn
ayushtkn approved these changes Jul 22, 2022
View reviewed changes
Copy link
Member

@ayushtkn ayushtkn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Can you give a check if the test failures are related or not. The top 3 I know aren't.
Will commit post that, if no objections

@pjfanning
Copy link
Contributor Author

@ayushtkn in my local testing, I've haven't seen the test failures that appeared in the CI build.

@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 41s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+0 🆗 xmllint 0m 0s xmllint was not available.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ branch-3.3 Compile Tests _
+0 🆗 mvndep 15m 4s Maven dependency ordering for branch
+1 💚 mvninstall 24m 55s branch-3.3 passed
+1 💚 compile 19m 0s branch-3.3 passed
+1 💚 mvnsite 22m 6s branch-3.3 passed
+1 💚 javadoc 7m 34s branch-3.3 passed
+1 💚 shadedclient 30m 50s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 34s Maven dependency ordering for patch
+1 💚 mvninstall 22m 20s the patch passed
+1 💚 compile 17m 45s the patch passed
+1 💚 javac 17m 45s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 21m 0s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 6m 42s the patch passed
+1 💚 shadedclient 31m 12s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 684m 10s /patch-unit-root.txt root in the patch passed.
+1 💚 asflicense 1m 30s The patch does not generate ASF License warnings.
894m 0s
Reason Tests
Failed junit tests hadoop.hdfs.server.federation.router.TestRouterRpc
hadoop.hdfs.server.federation.router.TestRouterRpcMultiDestination
hadoop.hdfs.qjournal.server.TestJournalNodeSync
hadoop.hdfs.server.balancer.TestBalancer
hadoop.yarn.sls.appmaster.TestAMSimulator
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4607/2/artifact/out/Dockerfile
GITHUB PR #4607
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux d771daa7e9e7 4.15.0-169-generic #177-Ubuntu SMP Thu Feb 3 10:50:38 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision branch-3.3 / 5e3eefe
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~18.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4607/2/testReport/
Max. process+thread count 3199 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4607/2/console
versions git=2.17.1 maven=3.6.0 shellcheck=0.4.6
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@ayushtkn ayushtkn changed the title HADOOP-18354: reload4j 1.22.2 HADOOP-18354: Upgrade reload4j to 1.22.2 due to XXE vulnerability Jul 24, 2022
@ayushtkn ayushtkn merged commit 36cb8a6 into apache:branch-3.3 Jul 24, 2022
@pjfanning pjfanning deleted the HADOOP-18354 branch July 24, 2022 10:36
@ayushtkn
Copy link
Member

The test failures changed in both builds apart from the RBF one, which I have fixed now, So, went ahead and merged.

Side Note: @pjfanning regarding the commit message. In hadoop we aren't using colon to separate the jira id and the text. it is a '.' period here. So, I changed : to . while merging
https://cwiki.apache.org/confluence/display/hadoop/how+to+contribute#HowToContribute-Provideapatch

steveloughran pushed a commit to steveloughran/hadoop that referenced this pull request Jul 26, 2022
@pjfanning @steveloughran
HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (ap…
46ed926 
…ache#4607). Contributed by PJ Fanning.

Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
@steveloughran steveloughran mentioned this pull request Jul 26, 2022
Closed
asfgit pushed a commit that referenced this pull request Jul 27, 2022
@pjfanning @steveloughran
HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (#4607
897be3a 
).

Contributed by PJ Fanning.

Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
jojochuang pushed a commit to jojochuang/hadoop that referenced this pull request May 23, 2023
@pjfanning @adoroszlai
CDPD-29056: HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulne…
212c151 
…rability (apache#4607). Contributed by PJ Fanning.

Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>

(cherry picked from commit 36cb8a6)
Change-Id: Id61110441b273dbbec0ed3459c8f7eab4056ed7c
steveloughran pushed a commit to steveloughran/hadoop that referenced this pull request Feb 12, 2024
@pjfanning @steveloughran
HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (ap…
12a35bf 
…ache#4607). Contributed by PJ Fanning.

Change-Id: Ic77cf8ea0f36f43a4e7d46b7e866121581d3483e
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
steveloughran added a commit that referenced this pull request Feb 13, 2024
@steveloughran
HADOOP-18088. Replace log4j 1.x with reload4j. (#4052)
095dfcc 

Co-authored-by: Wei-Chiu Chuang <weichiu@apache.org>


Includes HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (#4607). 

Log4j 1.2.17 has been replaced by reloadj 1.22.2
SLF4J is at 1.7.36
iwasakims pushed a commit that referenced this pull request Feb 16, 2024
@steveloughran @iwasakims
HADOOP-18088. Replace log4j 1.x with reload4j. (#4052)
ad8b654 
Co-authored-by: Wei-Chiu Chuang <weichiu@apache.org>

Includes HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (#4607).

Log4j 1.2.17 has been replaced by reloadj 1.22.2
SLF4J is at 1.7.36

(cherry picked from commit 095dfcc)
slfan1989 pushed a commit that referenced this pull request Mar 3, 2024
@steveloughran @slfan1989
HADOOP-18088. Replace log4j 1.x with reload4j. (#4052)
253afde 
Co-authored-by: Wei-Chiu Chuang <weichiu@apache.org>

Includes HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (#4607).

Log4j 1.2.17 has been replaced by reloadj 1.22.2
SLF4J is at 1.7.36

(cherry picked from commit 095dfcc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ayushtkn ayushtkn ayushtkn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pjfanning @hadoop-yetus @ayushtkn