damccorm opened a new issue, #21426: URL: https://github.com/apache/beam/issues/21426
beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog, transitively) declare a *Provided* dependency on org.apache.hive:hive-exec. Users are expected to include a version of those libraries on their classpath when using these Beam artifacts. However, at this time Hive has not yet made a release that bumps its log4j dependency \>= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0 (HIVE-25795), whenever it is released. Ideally for Beam it would be backported to 2.x (HIVE-25824) as well. In the meantime, *users of beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog) should take care to override the transitive log4j dependency when they add a hive dependency*. See https://blog.gradle.org/log4j-vulnerability for advice on how to safely configure a gradle build. Beam currently continuously tests these artifacts with log4j 2.17.0. Imported from Jira [BEAM-13499](https://issues.apache.org/jira/browse/BEAM-13499). Original Jira may contain additional context. Reported by: bhulette. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
