You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Jeevi Reddy Gudibandi (Jira)" <ji...@apache.org> on 2022/02/10 06:14:00 UTC

[jira] [Commented] (HIVE-24299) hive-ql guava versions and vulnerabilities

    [ https://issues.apache.org/jira/browse/HIVE-24299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489979#comment-17489979 ] 

Jeevi Reddy Gudibandi commented on HIVE-24299:
----------------------------------------------

There is another vulnerability reported on Google's Guava. Checking if there is any plan to upgrade the Guava library that is bundled with hive?

[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

> hive-ql guava versions and vulnerabilities
> ------------------------------------------
>
>                 Key: HIVE-24299
>                 URL: https://issues.apache.org/jira/browse/HIVE-24299
>             Project: Hive
>          Issue Type: Improvement
>          Components: hpl/sql
>    Affects Versions: 3.1.2
>            Reporter: openlookeng
>            Priority: Blocker
>
> hive-ql shades google's guava 19.0 component, but have vulnerabilities CVE-2018-10237, do team have plan to update it ?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)