Brian Hulette created BEAM-13499:
------------------------------------
Summary: beam-sdks-java-io-hcatalog and
beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228
Key: BEAM-13499
URL: https://issues.apache.org/jira/browse/BEAM-13499
Project: Beam
Issue Type: Bug
Components: dsl-sql, io-java-hcatalog
Affects Versions: 2.34.0, 2.33.0, 2.32.0, 2.31.0, 2.35.0
Reporter: Brian Hulette
beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog,
transitively) declare a *Provided* dependency on org.apache.hive:hive-exec.
Users are expected to include a version of those libraries on their classpath
when using these Beam artifacts.
However, at this time Hive has not yet made a release that bumps its log4j
dependency >= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0
(HIVE-25795), whenever it is released. Ideally for Beam it would be backported
to 2.x (HIVE-25824) as well.
In the meantime, *users of beam-sdks-java-io-hcatalog (and
beam-sdks-java-extensions-sql-hcatalog) should take care to override the
transitive log4j dependency when they add a hive dependency*. See
https://blog.gradle.org/log4j-vulnerability for advice on how to safely
configure a gradle build.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
