Support Questions

EY · ‎05-02-2024

Hi Team,

We got critical vulnerability CVE-2014-0014 found in CDP 7.1.7 SP1 commons-fileupload-1.3.3.jar, could you please check and confirm if Apache Struts is used in the Cloudera Data Platform (CDP) 7.1.7 SP1? Thanks.

Path:

./jars/commons-fileupload-1.3.3.jar
./lib/atlas/extractors/lib/azure-adls/commons-fileupload-1.3.3.jar
./lib/atlas/extractors/lib/aws-s3/commons-fileupload-1.3.3.jar
./lib/atlas/server/webapp/atlas/WEB-INF/lib/commons-fileupload-1.3.3.jar
./lib/search/lib/commons-fileupload-1.3.3.jar
./lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-fileupload-1.3.3.jar
./lib/hbase-solr/lib/commons-fileupload-1.3.3.jar
./lib/oozie/oozie-sharelib-yarn/lib/spark/commons-fileupload-1.3.3.jar
./lib/search/lib/search-crunch/commons-fileupload-1.3.3.jar

vaishaakb · ‎05-02-2024

@EY Thanks for bringing this to our community.

The CVE-ID does not seem to be the appropriate one for the Apache struts vulnerability shared. Help us with the following to understand this better:

1. What is the Security tool used and the version of it?
2. Share the flagged CVE from the security team.
3. Full CDP version

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0014

V

EY · ‎05-02-2024

Hi @vaishaakb , thanks for your reply.

1. The Security tool is ITAG Struts Tanium but i am not sure of the version

2. Flagged CVE is CVE-2014-0014, and we doubt it's false positive reported since we checked for this CVE is for commons-beanutils.jar in Apache Struts. But security team requested us to confirm with Cloudera team on whether Apache Struts is used in the Cloudera Data Platform (CDP) 7.1.7 SP1 and CDP was vulnerable to CVE-2014-0114.

3. Full CDP version is : 7.1.7-1.cdh7.1.7.p1050.30900109

Could you please advise on this. Thanks.

Cloudera Community

Support Questions

Critical vulnerability CVE-2014-0114 found in CDP 7.1.7 SP1 commons-fileupload-1.3.3.jar