You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by Zoltan Haindrich <ki...@rxd.hu> on 2021/12/15 11:11:15 UTC
Recent log4j vulnerabilities
Hello all!
In the recent week there were 2 new log4j vulnerabilities discovered (CVE-2021-45046, CVE-2021-44228) - and since we use log4j in Hive; existing installations might be
affected as well.
Doing a new Hive release on any existing line would probably need a longer timeframe - and doing an upgrade would probably cause further problems for existing installation;
for now I'll try to give some help to help in patching existing clusters.
My understanding is that both CVE can be fixed by following one of these options:
* remove the JndiLookup.class from the affected jars
* replace the jar with the 2.16.0 version
To identify the affected jars; you could run this script - which will ignore 2.16.0 if there is any:
pat=org/apache/logging/log4j/core/lookup/JndiLookup.class mc=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class && find . -name '*.jar'|xargs -n1 -IJAR
unzip -t JAR |fgrep -f <(echo "$pat";echo 'Archive:')|grep -B1 "$pat"|grep '^Archive:'|cut -d '/' -f2-|xargs -n1 -IJAR bash -c 'unzip -p JAR $mc|md5sum|paste - <(echo
JAR)'|fgrep -vf <(echo 374fa1c796465d8f542bb85243240555 )
You could remove the JndiLookup.class from the identified jars with something similar to this:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
To validate if you are still affected or not:
* generate a token on https://canarytokens.org/
* try with queries like (replace your token):
set hive.fetch.task.conversion=none;
create table aa (a string) location 'file:///dfs${jndi:ldap:....canarytokens.com/a}';
select '${jndi:ldap://....canarytokens.com/a}';
cheers,
Zoltan