Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AMBARI-23109] Upgrading org.apache.httpcomponents:httpclient dependency to v4.5.5 due to security concerns #502

Merged
merged 1 commit into from
Mar 5, 2018
Merged

[AMBARI-23109] Upgrading org.apache.httpcomponents:httpclient dependency to v4.5.5 due to security concerns #502

merged 1 commit into from
Mar 5, 2018

Conversation

smolnar82
Copy link
Contributor

What changes were proposed in this pull request?

Per CVE-2014-3577

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Per CVE-2015-5262

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

So that we need to upgrade to a more recent version (>4.3.6); at the time of this issue is being fixed the latest one is 4.5.5

How was this patch tested?

After updating the affected pom.xml files I've done the following:

1.) Checking Maven's dependency resolution:

ambari-funtest smolnar$ mvn dependency:tree -Dincludes=*:*httpclient*

[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] Building Ambari Functional Tests 2.6.1.0.0
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-funtest ---
[INFO] org.apache.ambari:ambari-funtest:jar:2.6.1.0.0
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.5:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.428 s
[INFO] Finished at: 2018-02-28T20:24:57+01:00
[INFO] Final Memory: 45M/1212M
[INFO] ------------------------------------------------------------------------

2.) I executed mvn clean install for ambari-funtest (using -am to build its local dependencies):

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Ambari Main ........................................ SUCCESS [  4.250 s]
[INFO] Apache Ambari Project POM .......................... SUCCESS [  0.014 s]
[INFO] Ambari Views ....................................... SUCCESS [  1.229 s]
[INFO] utility ............................................ SUCCESS [  0.316 s]
[INFO] ambari-metrics ..................................... SUCCESS [  0.466 s]
[INFO] Ambari Metrics Common .............................. SUCCESS [  4.689 s]
[INFO] Ambari Server ...................................... SUCCESS [01:43 min]
[INFO] Ambari Functional Tests ............................ SUCCESS [  1.024 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:56 min
[INFO] Finished at: 2018-02-28T20:29:58+01:00
[INFO] Final Memory: 105M/1743M
[INFO] ------------------------------------------------------------------------

As far as I know this project (ambari-funtest) is out of use currently.

@smolnar82
Copy link
Contributor Author

@rlevas @zeroflag @adoroszlai @dlysnichenko Please review this PR; thanks!

rlevas
rlevas reviewed Feb 28, 2018
View reviewed changes
ambari-funtest/pom.xml
@@ -527,16 +526,27 @@
<groupId>org.apache.ambari</groupId>
<artifactId>ambari-metrics-common</artifactId>
<version>${project.version}</version>
<exclusions>
<exclusion>
<groupId>org.apache.httpcomponents</groupId>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure this is not needed for Metrics?

Copy link
Contributor Author

@smolnar82 smolnar82 Mar 1, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We directly depend on org.apache.httpcomponents:httpclient in ambari-funtest (see in lines 486-489):

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-funtest ---
[INFO] org.apache.ambari:ambari-funtest:jar:2.6.1.0.0
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.5:compile

The managed version (v4.5.5) will be available on the classpath so that Metrics can use its classes.

@asfgit
Copy link

asfgit commented Mar 1, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/881/
Test PASSed.

@smolnar82
Copy link
Contributor Author

Can someone please merge this PR? Thanks!

@adoroszlai adoroszlai merged commit 33e1f57 into apache:branch-2.6 Mar 5, 2018
@smolnar82 smolnar82 mentioned this pull request Mar 5, 2018
Merged
mpapirkovskyy pushed a commit to mpapirkovskyy/ambari that referenced this pull request Apr 12, 2019
@smolnar82 @adoroszlai
AMBARI-23109. Upgrading org.apache.httpcomponents:httpclient dependen…
e29e303 
…cy to v4.5.5 due to security concerns (apache#502)

(cherry picked from commit 33e1f57)

Change-Id: Ie0f265ce4d28b8e5d850ff7f4709f810714fa101
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rlevas rlevas rlevas approved these changes

@adoroszlai adoroszlai adoroszlai approved these changes

Assignees

@smolnar82 smolnar82

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smolnar82 @asfgit @adoroszlai @rlevas