You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Brian Hulette (Jira)" <ji...@apache.org> on 2022/03/24 15:48:00 UTC
[jira] [Commented] (BEAM-13499) beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228
[ https://issues.apache.org/jira/browse/BEAM-13499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511923#comment-17511923 ]
Brian Hulette commented on BEAM-13499:
--------------------------------------
2.3.10 is still not available as of Beam 2.38.0 cut
> beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228
> ------------------------------------------------------------------------------------------------------
>
> Key: BEAM-13499
> URL: https://issues.apache.org/jira/browse/BEAM-13499
> Project: Beam
> Issue Type: Bug
> Components: dsl-sql, io-java-hcatalog
> Affects Versions: 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0
> Reporter: Brian Hulette
> Priority: P2
> Fix For: 2.38.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog, transitively) declare a *Provided* dependency on org.apache.hive:hive-exec. Users are expected to include a version of those libraries on their classpath when using these Beam artifacts.
> However, at this time Hive has not yet made a release that bumps its log4j dependency >= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0 (HIVE-25795), whenever it is released. Ideally for Beam it would be backported to 2.x (HIVE-25824) as well.
> In the meantime, *users of beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog) should take care to override the transitive log4j dependency when they add a hive dependency*. See https://blog.gradle.org/log4j-vulnerability for advice on how to safely configure a gradle build.
> Beam currently continuously tests these artifacts with log4j 2.17.0.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)