achennagiri opened a new pull request #2217: URL: https://github.com/apache/hive/pull/2217
All of the util classes that were used in Hive as part of `jodd-core` dependency have moved to jodd-util. Upgrading to 6.0.0 version of the jodd-util package. ### What changes were proposed in this pull request? Hive uses a version of `jodd-core` dependency directly that is susceptible to CVE-2018-21234. We need to upgrade this library to a more recent version but the higher versions don't exactly have the same classes and methods that Hive needs. There is a breaking change introduced in the library https://github.com/oblac/jodd/blob/master/CHANGELOG_v4.md#breaking-changes-1. Currently, we use the JDateTime class(https://github.com/apache/hive/blob/7b3ecf617a6d46f48a3b6f77e0339fd4ad95a420/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java#L26) and HtmlEncoder class (https://github.com/apache/hive/blob/7b3ecf617a6d46f48a3b6f77e0339fd4ad95a420/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp#L35) from this library. The equivalent classes are JulianDate( https://github.com/oblac/jodd-util/blob/master/src/main/java/jodd/time/JulianDate.java) and HtmlEncoder(https://github.com/oblac/jodd-util/blob/03b045739cae2ddb4954c679739ef1c694d7f1e5/src/main/java/jodd/net/HtmlEncoder.java). The above two classes have been modified to use the below ones. Note: The HTML Encoder class hasn't changed much in functionality except that one of the methods strict() has been renamed to text(). It pretty much does the same thing. The JulianDate class has changed a bit and this piece of code needs to be reviewed carefully. ### Why are the changes needed? We need this change to get rid of CVE https://nvd.nist.gov/vuln/detail/CVE-2018-21234 Below is a brief description of it CVE-2018-21234 suppress Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. CWE-502 Deserialization of Untrusted Data CVSSv2: Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3: Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References: MISC - https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16 MISC - https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4 MISC - https://github.com/oblac/jodd/issues/628 Vulnerable Software & Versions: cpe:2.3:a:jodd:jodd:*:*:*:*:*:*:*:* versions up to (excluding) 5.0.4 Although, we don't make use of the vulnerable method in Hive, it's a good practice to keep the libraries up-to-date. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Ran Pre-commit tests. Any suggestions to locally test this patch would be helpful. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
