This is an automated email from the ASF dual-hosted git repository.
sunchao pushed a commit to branch branch-2.3
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/branch-2.3 by this push:
new 7b7e8d4 HIVE-25824: Upgrade log4j dependencies to 2.17.0 (#2908)
7b7e8d4 is described below
commit 7b7e8d4d7910b9b6dc2fe498a6a4228c628853c1
Author: Luca Toscano <[email protected]>
AuthorDate: Thu Jan 13 07:05:53 2022 +0100
HIVE-25824: Upgrade log4j dependencies to 2.17.0 (#2908)
This change should mimic what done in the 3.x and master branches
to fix the various CVEs related to log4j.
The Apache Bigtop project used the same patch on top of 2.3.6
(released with Bigtop 1.5) and all our build/smoke-tests
passed.
---
bin/hive-config.sh | 4 ++++
druid-handler/pom.xml | 5 +++++
hbase-handler/pom.xml | 5 +++++
jdbc/pom.xml | 5 +++++
llap-server/pom.xml | 5 +++++
pom.xml | 6 +++---
ql/pom.xml | 5 +++++
.../org/apache/hadoop/hive/ql/log/NoDeleteRollingFileAppender.java | 2 +-
service/pom.xml | 7 ++++++-
testutils/ptest2/pom.xml | 2 +-
10 files changed, 40 insertions(+), 6 deletions(-)
diff --git a/bin/hive-config.sh b/bin/hive-config.sh
index d52b84e..8381a25 100644
--- a/bin/hive-config.sh
+++ b/bin/hive-config.sh
@@ -68,3 +68,7 @@ export HIVE_AUX_JARS_PATH=$HIVE_AUX_JARS_PATH
# Default to use 256MB
export HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-256}
+
+# Disable the JNDI. This feature has critical RCE vulnerability.
+# when 2.x <= log4j.version <= 2.14.1
+export HADOOP_CLIENT_OPTS="$HADOOP_CLIENT_OPTS
-Dlog4j2.formatMsgNoLookups=true"
diff --git a/druid-handler/pom.xml b/druid-handler/pom.xml
index 9d163c6..86fd1da 100644
--- a/druid-handler/pom.xml
+++ b/druid-handler/pom.xml
@@ -223,6 +223,11 @@
<artifactId>calcite-druid</artifactId>
<version>${calcite.version}</version>
</dependency>
+ <dependency>
+ <groupId>com.lmax</groupId>
+ <artifactId>disruptor</artifactId>
+ <version>${disruptor.version}</version>
+ </dependency>
<!-- test inter-project -->
<dependency>
<groupId>junit</groupId>
diff --git a/hbase-handler/pom.xml b/hbase-handler/pom.xml
index e56ef53..a831fed 100644
--- a/hbase-handler/pom.xml
+++ b/hbase-handler/pom.xml
@@ -102,6 +102,11 @@
<artifactId>hbase-hadoop-compat</artifactId>
<version>${hbase.version}</version>
</dependency>
+ <dependency>
+ <groupId>com.lmax</groupId>
+ <artifactId>disruptor</artifactId>
+ <version>${disruptor.version}</version>
+ </dependency>
<!-- test inter-project -->
<dependency>
diff --git a/jdbc/pom.xml b/jdbc/pom.xml
index 3bc69cd..aa70329 100644
--- a/jdbc/pom.xml
+++ b/jdbc/pom.xml
@@ -109,6 +109,11 @@
<version>${hadoop.version}</version>
<optional>true</optional>
</dependency>
+ <dependency>
+ <groupId>com.lmax</groupId>
+ <artifactId>disruptor</artifactId>
+ <version>${disruptor.version}</version>
+ </dependency>
<!-- test inter-project -->
<dependency>
<groupId>junit</groupId>
diff --git a/llap-server/pom.xml b/llap-server/pom.xml
index d9ae1ad..1dac091 100644
--- a/llap-server/pom.xml
+++ b/llap-server/pom.xml
@@ -230,6 +230,11 @@
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.lmax</groupId>
+ <artifactId>disruptor</artifactId>
+ <version>${disruptor.version}</version>
+ </dependency>
<!-- test inter-project -->
<dependency>
diff --git a/pom.xml b/pom.xml
index c20e8c6..0be98f8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -98,7 +98,7 @@
<maven.install.plugin.version>2.4</maven.install.plugin.version>
<maven.jar.plugin.version>2.4</maven.jar.plugin.version>
<maven.javadoc.plugin.version>2.4</maven.javadoc.plugin.version>
- <maven.shade.plugin.version>2.4.3</maven.shade.plugin.version>
+ <maven.shade.plugin.version>3.2.0</maven.shade.plugin.version>
<maven.surefire.plugin.version>3.0.0-M4</maven.surefire.plugin.version>
<maven.war.plugin.version>2.4</maven.war.plugin.version>
<maven.dependency.plugin.version>2.8</maven.dependency.plugin.version>
@@ -143,7 +143,7 @@
<hamcrest.version>1.1</hamcrest.version>
<hbase.version>1.1.1</hbase.version>
<!-- required for logging test to avoid including hbase which pulls
disruptor transitively -->
- <disruptor.version>3.3.0</disruptor.version>
+ <disruptor.version>3.3.7</disruptor.version>
<hikaricp.version>2.5.1</hikaricp.version>
<!-- httpcomponents are not always in version sync -->
<httpcomponents.client.version>4.4</httpcomponents.client.version>
@@ -174,7 +174,7 @@
<kryo.version>3.0.3</kryo.version>
<libfb303.version>0.9.3</libfb303.version>
<libthrift.version>0.9.3</libthrift.version>
- <log4j2.version>2.6.2</log4j2.version>
+ <log4j2.version>2.17.0</log4j2.version>
<opencsv.version>2.3</opencsv.version>
<orc.version>1.3.4</orc.version>
<mockito-all.version>1.9.5</mockito-all.version>
diff --git a/ql/pom.xml b/ql/pom.xml
index 4085de3..b83b9cd 100644
--- a/ql/pom.xml
+++ b/ql/pom.xml
@@ -141,6 +141,11 @@
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+ <version>${log4j2.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>${log4j2.version}</version>
</dependency>
diff --git
a/ql/src/java/org/apache/hadoop/hive/ql/log/NoDeleteRollingFileAppender.java
b/ql/src/java/org/apache/hadoop/hive/ql/log/NoDeleteRollingFileAppender.java
index be32f06..5d10233 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/log/NoDeleteRollingFileAppender.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/log/NoDeleteRollingFileAppender.java
@@ -27,7 +27,7 @@ import org.apache.log4j.FileAppender;
import org.apache.log4j.Layout;
import org.apache.log4j.helpers.CountingQuietWriter;
import org.apache.log4j.helpers.LogLog;
-import org.apache.log4j.helpers.OptionConverter;
+import org.apache.logging.log4j.core.util.OptionConverter;
import org.apache.log4j.spi.LoggingEvent;
public class NoDeleteRollingFileAppender extends FileAppender {
diff --git a/service/pom.xml b/service/pom.xml
index 40ef75b..de3504e 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -81,7 +81,12 @@
</exclusion>
</exclusions>
</dependency>
- <!-- used by thrift generated code -->
+ <dependency>
+ <groupId>com.lmax</groupId>
+ <artifactId>disruptor</artifactId>
+ <version>${disruptor.version}</version>
+ </dependency>
+ <!-- used by thrift generated code -->
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
diff --git a/testutils/ptest2/pom.xml b/testutils/ptest2/pom.xml
index e914e44..65c30d2 100644
--- a/testutils/ptest2/pom.xml
+++ b/testutils/ptest2/pom.xml
@@ -26,7 +26,7 @@ limitations under the License.
<name>hive-ptest</name>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <log4j2.version>2.6.2</log4j2.version>
+ <log4j2.version>2.17.0</log4j2.version>
<spring.framework.version>3.2.16.RELEASE</spring.framework.version>
<jclouds.version>2.0.0</jclouds.version>
</properties>
