You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2022/06/04 23:28:03 UTC

[GitHub] [beam] damccorm opened a new issue, #21426: beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228

damccorm opened a new issue, #21426:
URL: https://github.com/apache/beam/issues/21426

   beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog, transitively) declare a *Provided* dependency on org.apache.hive:hive-exec. Users are expected to include a version of those libraries on their classpath when using these Beam artifacts.
   
   However, at this time Hive has not yet made a release that bumps its log4j dependency \>= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0 (HIVE-25795), whenever it is released. Ideally for Beam it would be backported to 2.x (HIVE-25824) as well.
   
   In the meantime, *users of beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog) should take care to override the transitive log4j dependency when they add a hive dependency*. See https://blog.gradle.org/log4j-vulnerability for advice on how to safely configure a gradle build.
   
   Beam currently continuously tests these artifacts with log4j 2.17.0. 
   
   Imported from Jira [BEAM-13499](https://issues.apache.org/jira/browse/BEAM-13499). Original Jira may contain additional context.
   Reported by: bhulette.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] Abacn commented on issue #21426: beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

Abacn commented on issue #21426:
URL: https://github.com/apache/beam/issues/21426#issuecomment-1366805647

   beam bumped provided dep hive to v3.1.3 which uses log4j 2.17.1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] Abacn closed issue #21426: beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228

Posted by GitBox <gi...@apache.org>.

Abacn closed issue #21426: beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228
URL: https://github.com/apache/beam/issues/21426


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org