[jira] [Commented] (BEAM-13499) beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228

Beam JIRA Bot (Jira) Mon, 23 May 2022 10:28:06 -0700


    [ 
https://issues.apache.org/jira/browse/BEAM-13499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541064#comment-17541064
 ]


Beam JIRA Bot commented on BEAM-13499:
--------------------------------------

This issue is P2 but has been unassigned without any comment for 60 days so it 
has been labeled "stale-P2". If this issue is still affecting you, we care! 
Please comment and remove the label. Otherwise, in 14 days the issue will be 
moved to P3.

Please see https://beam.apache.org/contribute/jira-priorities/ for a detailed 
explanation of what these priorities mean.


> beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are 
> vulnerable to CVE-2021-44228
> ------------------------------------------------------------------------------------------------------
>
>                 Key: BEAM-13499
>                 URL: https://issues.apache.org/jira/browse/BEAM-13499
>             Project: Beam
>          Issue Type: Bug
>          Components: dsl-sql, io-java-hcatalog
>    Affects Versions: 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 
> 2.38.0
>            Reporter: Brian Hulette
>            Priority: P2
>              Labels: stale-P2
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog, 
> transitively) declare a *Provided* dependency on org.apache.hive:hive-exec. 
> Users are expected to include a version of those libraries on their classpath 
> when using these Beam artifacts.
> However, at this time Hive has not yet made a release that bumps its log4j 
> dependency >= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0 
> (HIVE-25795), whenever it is released. Ideally for Beam it would be 
> backported to 2.x (HIVE-25824) as well.
> In the meantime, *users of beam-sdks-java-io-hcatalog (and 
> beam-sdks-java-extensions-sql-hcatalog) should take care to override the 
> transitive log4j dependency when they add a hive dependency*. See 
> https://blog.gradle.org/log4j-vulnerability for advice on how to safely 
> configure a gradle build.
> Beam currently continuously tests these artifacts with log4j 2.17.0. 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (BEAM-13499) beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are vulnerable to CVE-2021-44228

Reply via email to