[jira] [Updated] (HIVE-23254) Upgrade guava version in hive from 19.0 to 27.0-jre

[Ankur Raj (Jira)]

     [ 
https://issues.apache.org/jira/browse/HIVE-23254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ankur Raj updated HIVE-23254:
-----------------------------
    Description: 
Upgrade guava version in hive from 19.0 to 27.0-jre. 

Hadoop has already upgraded it as part of 
[https://jira.apache.org/jira/browse/HADOOP-16213]

Concern : [https://nvd.nist.gov/vuln/detail/CVE-2018-10237 
:|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
allows remote attackers to conduct denial of service attacks against servers 
that depend on this library and deserialize attacker-provided data, because the 
AtomicDoubleArray class (when serialized with Java serialization) and the 
CompoundOrdering class (when serialized with GWT serialization) perform eager 
allocation without appropriate checks on what a client has sent and whether the 
data size is reasonable.

 

  was:
Upgrade guava version in hive from 19.0 to 27.0-jre. 

Hadoop has already upgraded it as part of 
[https://jira.apache.org/jira/browse/HADOOP-16213]

Concern : [https://nvd.nist.gov/vuln/detail/CVE-2018-10237]

 


> Upgrade guava version in hive from 19.0 to 27.0-jre
> ---------------------------------------------------
>
>                 Key: HIVE-23254
>                 URL: https://issues.apache.org/jira/browse/HIVE-23254
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 3.1.1
>            Reporter: Ankur Raj
>            Priority: Critical
>
> Upgrade guava version in hive from 19.0 to 27.0-jre. 
> Hadoop has already upgraded it as part of 
> [https://jira.apache.org/jira/browse/HADOOP-16213]
> Concern : [https://nvd.nist.gov/vuln/detail/CVE-2018-10237 
> :|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
> Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
> allows remote attackers to conduct denial of service attacks against servers 
> that depend on this library and deserialize attacker-provided data, because 
> the AtomicDoubleArray class (when serialized with Java serialization) and the 
> CompoundOrdering class (when serialized with GWT serialization) perform eager 
> allocation without appropriate checks on what a client has sent and whether 
> the data size is reasonable.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)