You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Zoltan Haindrich (Jira)" <ji...@apache.org> on 2021/12/15 10:14:00 UTC

[jira] [Commented] (HIVE-25804) Update log4j2 version to 2.16.0 to incorporate further CVE-2021-44228 hardening

    [ https://issues.apache.org/jira/browse/HIVE-25804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459803#comment-17459803 ] 

Zoltan Haindrich commented on HIVE-25804:
-----------------------------------------

because most recent vulnerability is only evadable by removing the "bad" jndilookup class - I think the biggest problem people are facing is identifying the jars which should be looked at; the following one liner script looks into all jars from the current directory - and lists affected jars
{code}
pat=org/apache/logging/log4j/core/lookup/JndiLookup.class mc=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class && find . -name '*.jar'|xargs -n1 -IJAR unzip -t JAR |fgrep -f <(echo "$pat";echo 'Archive:')|grep -B1 "$pat"|grep '^Archive:'|cut -d '/' -f2-|xargs -n1 -IJAR bash -c 'unzip -p JAR $mc|md5sum|paste - <(echo JAR)'|fgrep -vf <(echo 374fa1c796465d8f542bb85243240555 )
{code}

it only lists them - you should still run the removal command on the jars manually
{code}
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
{code}


> Update log4j2 version to 2.16.0 to incorporate further CVE-2021-44228 hardening
> -------------------------------------------------------------------------------
>
>                 Key: HIVE-25804
>                 URL: https://issues.apache.org/jira/browse/HIVE-25804
>             Project: Hive
>          Issue Type: Bug
>          Components: Logging
>            Reporter: Csaba Juhász
>            Assignee: Csaba Juhász
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0
>
>         Attachments: HIVE-25804.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0



--
This message was sent by Atlassian Jira
(v8.20.1#820001)