[hive] branch master updated: HIVE-25795: [CVE-2021-44228] Update log4j2 version to 2.15.0

sankarh Sun, 12 Dec 2021 08:22:42 -0800

This is an automated email from the ASF dual-hosted git repository.

sankarh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git



The following commit(s) were added to refs/heads/master by this push:
     new f577834  HIVE-25795: [CVE-2021-44228] Update log4j2 version to 2.15.0
f577834 is described below

commit f5778344034912fa47a770ca2917d95c9fcfff12
Author: guptanikhil007 <[email protected]>
AuthorDate: Sun Dec 12 21:52:12 2021 +0530

    HIVE-25795: [CVE-2021-44228] Update log4j2 version to 2.15.0
    
    Signed-off-by: Sankar Hariappan <[email protected]>
    Closes (#2863)
---
 bin/hive-config.sh           | 4 ++++
 pom.xml                      | 2 +-
 standalone-metastore/pom.xml | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/bin/hive-config.sh b/bin/hive-config.sh
index d52b84e..8381a25 100644
--- a/bin/hive-config.sh
+++ b/bin/hive-config.sh
@@ -68,3 +68,7 @@ export HIVE_AUX_JARS_PATH=$HIVE_AUX_JARS_PATH
 
 # Default to use 256MB 
 export HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-256}
+
+# Disable the JNDI. This feature has critical RCE vulnerability.
+# when 2.x <= log4j.version <= 2.14.1
+export HADOOP_CLIENT_OPTS="$HADOOP_CLIENT_OPTS 
-Dlog4j2.formatMsgNoLookups=true"
diff --git a/pom.xml b/pom.xml
index 3f28653..adc6f34 100644
--- a/pom.xml
+++ b/pom.xml
@@ -178,7 +178,7 @@
     <!-- Leaving libfb303 at 0.9.3 regardless of libthrift: As per THRIFT-4613 
The Apache Thrift project does not publish items related to fb303 at this point 
-->
     <libfb303.version>0.9.3</libfb303.version>
     <libthrift.version>0.14.1</libthrift.version>
-    <log4j2.version>2.13.2</log4j2.version>
+    <log4j2.version>2.15.0</log4j2.version>
     <mariadb.version>2.5.0</mariadb.version>
     <mssql.version>6.2.1.jre8</mssql.version>
     <mysql.version>8.0.27</mysql.version>
diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
index 9b3d3a3..bd331e3 100644
--- a/standalone-metastore/pom.xml
+++ b/standalone-metastore/pom.xml
@@ -91,7 +91,7 @@
     <junit.vintage.version>5.6.2</junit.vintage.version>
     <libfb303.version>0.9.3</libfb303.version>
     <libthrift.version>0.14.1</libthrift.version>
-    <log4j2.version>2.13.2</log4j2.version>
+    <log4j2.version>2.15.0</log4j2.version>
     <mockito-core.version>3.3.3</mockito-core.version>
     <orc.version>1.6.9</orc.version>
     <!-- com.google repo will be used except on Aarch64 platform. -->

[hive] branch master updated: HIVE-25795: [CVE-2021-44228] Update log4j2 version to 2.15.0

Reply via email to