You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ng...@apache.org on 2021/12/15 21:11:35 UTC
[hive] branch branch-3 updated: HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
This is an automated email from the ASF dual-hosted git repository.
ngangam pushed a commit to branch branch-3
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/branch-3 by this push:
new 63a056a HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
63a056a is described below
commit 63a056ae87de739ba2ea66fd4001f529357a4aa1
Author: Naveen Gangam <ng...@cloudera.com>
AuthorDate: Wed Dec 15 15:57:45 2021 -0500
HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
---
bin/hive-config.sh | 4 ++++
pom.xml | 2 +-
.../apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java | 4 ++++
standalone-metastore/pom.xml | 7 ++++++-
testutils/ptest2/pom.xml | 2 +-
5 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/bin/hive-config.sh b/bin/hive-config.sh
index d52b84e..8381a25 100644
--- a/bin/hive-config.sh
+++ b/bin/hive-config.sh
@@ -68,3 +68,7 @@ export HIVE_AUX_JARS_PATH=$HIVE_AUX_JARS_PATH
# Default to use 256MB
export HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-256}
+
+# Disable the JNDI. This feature has critical RCE vulnerability.
+# when 2.x <= log4j.version <= 2.14.1
+export HADOOP_CLIENT_OPTS="$HADOOP_CLIENT_OPTS -Dlog4j2.formatMsgNoLookups=true"
diff --git a/pom.xml b/pom.xml
index 96e0217..40087d8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -182,7 +182,7 @@
<kryo.version>3.0.3</kryo.version>
<libfb303.version>0.9.3</libfb303.version>
<libthrift.version>0.9.3</libthrift.version>
- <log4j2.version>2.10.0</log4j2.version>
+ <log4j2.version>2.16.0</log4j2.version>
<opencsv.version>2.3</opencsv.version>
<orc.version>1.5.6</orc.version>
<mockito-all.version>1.10.19</mockito-all.version>
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java b/ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
index 664734c..67bbd8e 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
@@ -73,6 +73,10 @@ public class SlidingFilenameRolloverStrategy
return getLogFileName(pattern);
}
+ @Override public void clearCurrentFileName() {
+ // no rename is needed
+ }
+
/**
* @return Mangled file name formed by appending the current timestamp
*/
diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
index 04eca50..7599882 100644
--- a/standalone-metastore/pom.xml
+++ b/standalone-metastore/pom.xml
@@ -78,7 +78,7 @@
<junit.version>4.11</junit.version>
<libfb303.version>0.9.3</libfb303.version>
<libthrift.version>0.9.3</libthrift.version>
- <log4j2.version>2.8.2</log4j2.version>
+ <log4j2.version>2.16.0</log4j2.version>
<mockito-all.version>1.10.19</mockito-all.version>
<orc.version>1.5.1</orc.version>
<protobuf.version>2.5.0</protobuf.version>
@@ -265,6 +265,11 @@
<version>${log4j2.version}</version>
</dependency>
<dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+ <version>${log4j2.version}</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.thrift</groupId>
<artifactId>libfb303</artifactId>
<version>${libfb303.version}</version>
diff --git a/testutils/ptest2/pom.xml b/testutils/ptest2/pom.xml
index 10dda97..450c158 100644
--- a/testutils/ptest2/pom.xml
+++ b/testutils/ptest2/pom.xml
@@ -26,7 +26,7 @@ limitations under the License.
<name>hive-ptest</name>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <log4j2.version>2.10.0</log4j2.version>
+ <log4j2.version>2.16.0</log4j2.version>
<spring.framework.version>3.2.16.RELEASE</spring.framework.version>
<jclouds.version>2.0.0</jclouds.version>
<checkstyle.conf.dir>${basedir}/../../checkstyle/</checkstyle.conf.dir>