Mich: did you read the CVE? I'm not clear, as this contains no reference to the Hive functionality that is affected, or how it might relate to a metastore. Please explain. Otherwise this looks like a generic AI-generated response with no particularly relevant content. "In summary"...
On Mon, Jan 27, 2025 at 8:57 AM Mich Talebzadeh <mich.talebza...@gmail.com> wrote: > I think the thread owner's point is valid. The default use of the Hive > Metastore by Spark further gives credence to the importance of addressing > this Hive vulnerability to ensure the security and reliability of Spark > applications. I use Hive as the default metastore for Spark as well. Spark > relies heavily on the Hive Metastore for managing critical metadata, such > as table schemas, data locations, and access control, unless you are using > a platform like Databricks with a unified catalog. In summary, this > dependency makes it essential to address any vulnerabilities within the > Hive Metastore, as they can indirectly impact the security and stability of > Spark applications among other things > > HTH > > Mich Talebzadeh, > Architect | Data Science | Financial Crime | Forensic Analysis | GDPR > > view my Linkedin profile > <https://www.linkedin.com/in/mich-talebzadeh-ph-d-5205b2/> > > > > > > On Mon, 27 Jan 2025 at 13:37, Sean Owen <sro...@gmail.com> wrote: > >> It looks like that affects Hive, and not the metastore. I do not see that >> it is relevant to Spark at first glance. >> >> >> On Mon, Jan 27, 2025 at 1:21 AM Balaji Sudharsanam V >> <balaji.sudharsa...@ibm.com.invalid> wrote: >> >>> Hi All, >>> >>> There is a vulnerability with ‘High’ severity found in the *Apache >>> Spark 3.x and 4.0.0 preview (2) releases,* with the >>> hive-metastore-2.3.x.jar. >>> This is defined here, Apache Hive security bypass CVE-2021-34538 >>> Vulnerability Report >>> <https://exchange.xforce.ibmcloud.com/vulnerabilities/231404> >>> >>> >>> >>> The recommendation is to use upgrade to the latest version of Apache >>> Hive (*3.1.3, 4.0 or later*), available from the Apache Web site. >>> >>> >>> >>> Can we expect this getting fixed in the Apache Spark 4.0 GA ? >>> >>> Thanks, >>> >>> Balaji >>> >>> >>> >>> >>
