You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Jeevi Reddy Gudibandi (Jira)" <ji...@apache.org> on 2022/02/10 06:14:00 UTC
[jira] [Commented] (HIVE-24299) hive-ql guava versions and vulnerabilities
[ https://issues.apache.org/jira/browse/HIVE-24299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489979#comment-17489979 ]
Jeevi Reddy Gudibandi commented on HIVE-24299:
----------------------------------------------
There is another vulnerability reported on Google's Guava. Checking if there is any plan to upgrade the Guava library that is bundled with hive?
[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
> hive-ql guava versions and vulnerabilities
> ------------------------------------------
>
> Key: HIVE-24299
> URL: https://issues.apache.org/jira/browse/HIVE-24299
> Project: Hive
> Issue Type: Improvement
> Components: hpl/sql
> Affects Versions: 3.1.2
> Reporter: openlookeng
> Priority: Blocker
>
> hive-ql shades google's guava 19.0 component, but have vulnerabilities CVE-2018-10237, do team have plan to update it ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)