Cloudera Community
jgabrey-1216863216
user rank
Explorer

CVE-2022-42889 Apache Commons Text Text4Shell

by Explorer in Support Questions
‎12-05-2022 10:10 AM
‎12-05-2022 10:10 AM
It looks like CDH 7.1.7 SP1 is vulnerable to CVE-2022-42889.   Here is the announcement from Apache which indicates the mitigation is to "Upgrade to Apache Commons Text 1.10.0".   https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om   There was another community thread about Text4Shell in NiFi, but CVE-2022-42889 is NOT just a NiFi issue.   CDH 7.1.7 SP1 (even p1057) includes the vulnerable common-jars 1.6/1.7 and 1.9.   /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar ... /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar#   Is there a time frame for 1.10 (or better)?   ... View more

Re: Vulnerability (Text4Shell) (CVE-2022-42889)

by Explorer in Support Questions
‎11-29-2022 07:43 AM
‎11-29-2022 07:43 AM
I did not find anything under the Knowledge Base, and I have not seen a TSB recently.   It does not look like this is specifically a nifi issue, as CDH 7.1.7 SP1 (even p1057) seems to include 1.6-1.9.   This is the announcement from Apache -> https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om   ===== CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults Severity: important Description: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. Mitigation: Upgrade to Apache Commons Text 1.10.0. =====   Is there a time frame for using 1.10?  If not, that's fine too.   From a recently-updated cluster: ===== /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar ... /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar# =====   ... View more

retaining more impala profiles.

by Explorer in Support Questions
‎08-06-2018 09:24 AM
‎08-06-2018 09:24 AM
On a periodic basis (via a script called from cron), we are pulling both the Impala text and thrift profiles from the CM.  It works fine mostly. Following this:     https://cloudera.github.io/cm_api/apidocs/v13/path__clusters_-clusterName-_services_-serviceName-_impalaQueries_-queryId-.html During very busy periods, pulling profiles sometimes returns “Unknown profile” errors.  We are assuming that the profiles are rolling off. Is it possible to a) extend the retention period, and/or b) increase the number saved. ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎06-01-2023 08:49 AM
Community Statistics
Member Since ‎10-16-2013 05:20 AM
Last Visited ‎06-01-2023 08:49 AM
Posts 4