You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Ankur Raj (Jira)" <ji...@apache.org> on 2020/04/20 12:46:00 UTC
[jira] [Updated] (HIVE-23254) Upgrade guava version in hive from
19.0 to 27.0-jre
[ https://issues.apache.org/jira/browse/HIVE-23254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ankur Raj updated HIVE-23254:
-----------------------------
Description:
Upgrade guava version in hive from 19.0 to 27.0-jre.
Hadoop has already upgraded it as part of [https://jira.apache.org/jira/browse/HADOOP-16213]
Concern : [https://nvd.nist.gov/vuln/detail/CVE-2018-10237 :|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
was:
Upgrade guava version in hive from 19.0 to 27.0-jre.
Hadoop has already upgraded it as part of [https://jira.apache.org/jira/browse/HADOOP-16213]
Concern : [https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
> Upgrade guava version in hive from 19.0 to 27.0-jre
> ---------------------------------------------------
>
> Key: HIVE-23254
> URL: https://issues.apache.org/jira/browse/HIVE-23254
> Project: Hive
> Issue Type: Bug
> Affects Versions: 3.1.1
> Reporter: Ankur Raj
> Priority: Critical
>
> Upgrade guava version in hive from 19.0 to 27.0-jre.
> Hadoop has already upgraded it as part of [https://jira.apache.org/jira/browse/HADOOP-16213]
> Concern : [https://nvd.nist.gov/vuln/detail/CVE-2018-10237 :|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
> Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)