Support Questions

Find answers, ask questions, and share your expertise

Critical vulnerability CVE-2014-0114 found in CDP 7.1.7 SP1 commons-fileupload-1.3.3.jar

avatar
New Contributor

Hi Team,

We got critical vulnerability CVE-2014-0014 found in CDP 7.1.7 SP1 commons-fileupload-1.3.3.jar, could you please check and confirm if Apache Struts is used in the Cloudera Data Platform (CDP) 7.1.7 SP1? Thanks.

Path:

./jars/commons-fileupload-1.3.3.jar
./lib/atlas/extractors/lib/azure-adls/commons-fileupload-1.3.3.jar
./lib/atlas/extractors/lib/aws-s3/commons-fileupload-1.3.3.jar
./lib/atlas/server/webapp/atlas/WEB-INF/lib/commons-fileupload-1.3.3.jar
./lib/search/lib/commons-fileupload-1.3.3.jar
./lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-fileupload-1.3.3.jar
./lib/hbase-solr/lib/commons-fileupload-1.3.3.jar
./lib/oozie/oozie-sharelib-yarn/lib/spark/commons-fileupload-1.3.3.jar
./lib/search/lib/search-crunch/commons-fileupload-1.3.3.jar

2 REPLIES 2

avatar
Master Collaborator

@EY Thanks for bringing this to our community.

The CVE-ID does not seem to be the appropriate one for the Apache struts vulnerability shared. Help us with the following to understand this better:

1. What is the Security tool used and the version of it?
2. Share the flagged CVE from the security team.
3. Full CDP version

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0014

V

avatar
New Contributor

Hi @vaishaakb , thanks for your reply.

1. The Security tool is ITAG Struts Tanium but i am not sure of the version

2. Flagged CVE is CVE-2014-0014, and we doubt it's false positive reported since we checked for this CVE is for commons-beanutils.jar in Apache Struts. But security team requested us to confirm with Cloudera team on whether Apache Struts is used in the Cloudera Data Platform (CDP) 7.1.7 SP1 and CDP was vulnerable to CVE-2014-0114.

3. Full CDP version is : 7.1.7-1.cdh7.1.7.p1050.30900109

Could you please advise on this. Thanks.