[jira] [Comment Edited] (HIVE-24299) hive-ql guava versions and vulnerabilities

Jeevi Reddy Gudibandi (Jira) Wed, 09 Feb 2022 22:16:40 -0800


    [ 
https://issues.apache.org/jira/browse/HIVE-24299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489979#comment-17489979
 ]


Jeevi Reddy Gudibandi edited comment on HIVE-24299 at 2/10/22, 6:15 AM:
------------------------------------------------------------------------

For the following vulnerability reported on Google's Guava library need to be 
upgraded, checking if this can be prioritized for an upcoming release?

[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
allows remote attackers to conduct denial of service attacks against servers 
that depend on this library and deserialize attacker-provided data, because the 
AtomicDoubleArray class (when serialized with Java serialization) and the 
CompoundOrdering class (when serialized with GWT serialization) perform eager 
allocation without appropriate checks on what a client has sent and whether the 
data size is reasonable.


was (Author: JIRAUSER284971):
There is another vulnerability reported on Google's Guava. Checking if there is 
any plan to upgrade the Guava library that is bundled with hive?

[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
allows remote attackers to conduct denial of service attacks against servers 
that depend on this library and deserialize attacker-provided data, because the 
AtomicDoubleArray class (when serialized with Java serialization) and the 
CompoundOrdering class (when serialized with GWT serialization) perform eager 
allocation without appropriate checks on what a client has sent and whether the 
data size is reasonable.

> hive-ql guava versions and vulnerabilities
> ------------------------------------------
>
>                 Key: HIVE-24299
>                 URL: https://issues.apache.org/jira/browse/HIVE-24299
>             Project: Hive
>          Issue Type: Improvement
>          Components: hpl/sql
>    Affects Versions: 3.1.2
>            Reporter: openlookeng
>            Priority: Blocker
>
> hive-ql shades google's guava 19.0 component, but have vulnerabilities 
> CVE-2018-10237, do team have plan to update it ?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Comment Edited] (HIVE-24299) hive-ql guava versions and vulnerabilities

Reply via email to