[jira] [Work logged] (HIVE-25795) [CVE-2021-44228] Update log4j2 version to 2.15.0

ASF GitHub Bot (Jira) Fri, 10 Dec 2021 08:08:06 -0800


     [ 
https://issues.apache.org/jira/browse/HIVE-25795?focusedWorklogId=694066&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-694066
 ]


ASF GitHub Bot logged work on HIVE-25795:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Dec/21 16:07
            Start Date: 10/Dec/21 16:07
    Worklog Time Spent: 10m 
      Work Description: guptanikhil007 edited a comment on pull request #2863:
URL: https://github.com/apache/hive/pull/2863#issuecomment-991029400


   @dengzhhu653 Closed previous pull request because build was stuck in a 
pending state. (Somehow throttled)
   
   Adding the conversation here:
   
   bin/hive-config.sh changes
   dengzhhu653:
   maybe we do not need this after updating?
   
   guptanikhil007:
   Similar HBase fix:
   https://github.com/apache/hbase/pull/3933/files
   
   The leader of knownsec 404 team (ZoomEye & SeeBug) 'Heige' have also 
recommend to set log4j2.formatMsgNoLookups to true
   Ref: 
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
   
   dengzhhu653:
   Got it, thank you!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 694066)
    Time Spent: 1h 40m  (was: 1.5h)

> [CVE-2021-44228] Update log4j2 version to 2.15.0
> ------------------------------------------------
>
>                 Key: HIVE-25795
>                 URL: https://issues.apache.org/jira/browse/HIVE-25795
>             Project: Hive
>          Issue Type: Bug
>          Components: Logging
>            Reporter: Nikhil Gupta
>            Assignee: Nikhil Gupta
>            Priority: Critical
>              Labels: pull-request-available
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> [Worst Apache Log4j RCE Zero day Dropped on Internet - Cyber 
> Kendra|https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html]
> Vulnerability:
> https://github.com/apache/logging-log4j2/commit/7fe72d6



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Work logged] (HIVE-25795) [CVE-2021-44228] Update log4j2 version to 2.15.0

Reply via email to