Dan Huff created HIVE-27691:
-------------------------------
Summary: Update Guava in hive to at least 32.0.1-jre to address
CVE-2023-2976
Key: HIVE-27691
URL: https://issues.apache.org/jira/browse/HIVE-27691
Project: Hive
Issue Type: Bug
Reporter: Dan Huff
I was advised to open this directly as this isn't anything secret. Guava having
various CVEs is a well-known issue within the Hive project
This particular CVE is [https://nvd.nist.gov/vuln/detail/CVE-2023-2976]
{quote}{color:#172b4d} Use of Java's default temporary directory for file
creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on
Unix systems and Android Ice Cream Sandwich allows other users and apps on the
machine with access to the default Java temporary directory to be able to
access the files created by the class. Even though the security vulnerability
is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0
breaks some functionality under Windows.{color}
{quote}
{color:#172b4d}I saw a number of uses of createTempDir in Hive so Hive may be
vulnerable to this issue.{color}
{color:#172b4d}Previous updates have been attempted but from the [comments in
PRs|https://github.com/apache/hive/pull/4271#issuecomment-1525398100], it
sounds like the update is likely to be a large project. {color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
