Details
-
Bug
-
Status: Resolved
-
P1
-
Resolution: Fixed
-
2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0
-
Python3 using default PyPI.
Description
Beam version 2.2.0 requires httplib2 0.9.2 which has a known vulnerability (CVE-2013-2037). This is the latest version of Beam that works with Python 3 (according to pypi).
Even though 2.2.0 is old, it is still the version that one will get when if they install Beam using ‘pip install apache-beam’ on distributions that default to Python 3.
I’m not sure how exploitable this is using Beam. The weakness is that the server’s hostname isn’t verified to be in the cert’s CN subject or SAN. This may allow an attacker to spoof a server.
It’s possible the fix is as simple as a release of 2.2 that changes the requirement of httplib2 from 0.9.2 to 0.10, and then release that to pypi. That’s probably pretty complicated.
This will go away when Beam supports Python 3, since pypi will then offer some later version of Beam that doesn’t require the ancient version of httplib2.
The fix to Beam is to require httplib2 0.10.1 or later. The fix to httplib2 is here: [*https://github.com/httplib2/httplib2/issues/5*] .
NVD: