Luca Toscano created BIGTOP-3621:
------------------------------------
Summary: Review Oozie 4.x and 5.x configs for CVE-2021-44228
Key: BIGTOP-3621
URL: https://issues.apache.org/jira/browse/BIGTOP-3621
Project: Bigtop
Issue Type: Bug
Affects Versions: 3.0.0, 1.5.0
Reporter: Luca Toscano
Fix For: 1.5.1, 3.0.1
In Bigtop 1.5 Oozie seems to include log4j 2.6.x jars:
{code}
$ dpkg -L oozie | egrep *log4j.*2.6.*
/usr/lib/oozie/lib/log4j-api-2.6.2.jar
/usr/lib/oozie/lib/log4j-core-2.6.2.jar
/usr/lib/oozie/lib/log4j-slf4j-impl-2.6.2.jar
/usr/lib/oozie/lib/log4j-web-2.6.2.jar
{code}
On vanilla Oozie branch-4.3's dependency:tree I can find a reference to the
lib, but from the Bigtop's build log it seems pulled in by the hcatalog pom.xml.
I quickly tried to exclude the log4j dependency and it worked (no extra log4j
jars in the .deb), but it is probably not the right fix since the hive
dependencies may need a more up-to-date log4j version.
We should also review Oozie's 5.x version for Bigtop 3.x
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
