[ https://issues.apache.org/jira/browse/BEAM-13499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on BEAM-13499 started by null. ----------------------------------- > beam-sdks-java-io-hcatalog and beam-sdks-java-extensions-sql-hcatalog are > vulnerable to CVE-2021-44228 > ------------------------------------------------------------------------------------------------------ > > Key: BEAM-13499 > URL: https://issues.apache.org/jira/browse/BEAM-13499 > Project: Beam > Issue Type: Bug > Components: dsl-sql, io-java-hcatalog > Affects Versions: 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, > 2.38.0 > Reporter: Brian Hulette > Priority: P2 > Labels: stale-P2 > Time Spent: 2h 20m > Remaining Estimate: 0h > > beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog, > transitively) declare a *Provided* dependency on org.apache.hive:hive-exec. > Users are expected to include a version of those libraries on their classpath > when using these Beam artifacts. > However, at this time Hive has not yet made a release that bumps its log4j > dependency >= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0 > (HIVE-25795), whenever it is released. Ideally for Beam it would be > backported to 2.x (HIVE-25824) as well. > In the meantime, *users of beam-sdks-java-io-hcatalog (and > beam-sdks-java-extensions-sql-hcatalog) should take care to override the > transitive log4j dependency when they add a hive dependency*. See > https://blog.gradle.org/log4j-vulnerability for advice on how to safely > configure a gradle build. > Beam currently continuously tests these artifacts with log4j 2.17.0. -- This message was sent by Atlassian Jira (v8.20.10#820010)