You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/12/16 07:22:00 UTC

[jira] [Work logged] (HIVE-26681) Upgrade dom4j: flexible XML framework for Java to safe version due to critical CVEs

     [ https://issues.apache.org/jira/browse/HIVE-26681?focusedWorklogId=834063&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834063 ]

ASF GitHub Bot logged work on HIVE-26681:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 16/Dec/22 07:21
            Start Date: 16/Dec/22 07:21
    Worklog Time Spent: 10m 
      Work Description: devaspatikrishnatri commented on PR #3716:
URL: https://github.com/apache/hive/pull/3716#issuecomment-1354321521

   Hi @cnauroth ,the title is currently misleading(I will change it) , this patch actually removes dom4j jars from hive as I do not think that they were used in hive and are having these CVEs:
   
   CVE-2018-1000632 (HIGH severity) - dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
   
   CVE-2020-10683 (CRITICAL severity) - dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 834063)
    Time Spent: 40m  (was: 0.5h)

> Upgrade dom4j: flexible XML framework for Java to safe version due to critical CVEs
> -----------------------------------------------------------------------------------
>
>                 Key: HIVE-26681
>                 URL: https://issues.apache.org/jira/browse/HIVE-26681
>             Project: Hive
>          Issue Type: Task
>            Reporter: Devaspati Krishnatri
>            Assignee: Devaspati Krishnatri
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 40m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)