[jira] [Commented] (HIVE-29337) We are using Hive 3.1.3 in pur production env. Security team has raised concern regarding open VA issues for the builder jars within hive.

[Stamatis Zampetakis (Jira)]

    [ 
https://issues.apache.org/jira/browse/HIVE-29337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18040284#comment-18040284
 ] 

Stamatis Zampetakis commented on HIVE-29337:
--------------------------------------------

This is more like a question rather than a bug report. When it comes to 
questions you should rather send an email to the appropriate mailing list 
(https://hive.apache.org/community/mailinglists/).

Hive is an open-source project maintained by volunteers and anyone can 
contribute to it. If you are interested in upgrading some Hive dependencies to 
quiet the vulnerability scanners you can raise a dedicated ticket (e.g., see 
HIVE-29238 for an example) and start working on it. Once you are satisfied with 
the fix you can raise a pull request on GitHub following the contribution 
guidelines and wait for a review. When the upgrade gets merged it will be part 
of the next Hive release.

> We are using Hive 3.1.3 in pur production env. Security team has raised 
> concern regarding open VA issues for the builder jars within hive.
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-29337
>                 URL: https://issues.apache.org/jira/browse/HIVE-29337
>             Project: Hive
>          Issue Type: Bug
>          Components: Hive
>    Affects Versions: 3.1.3
>            Reporter: Vaibhav
>            Priority: Critical
>
> Hi Team,
> We are currently using Hive 3.1.3 in our production environment. Our security 
> team identified vulnerability issues with this version, so we upgraded Hive 
> to 4.1.0. However, the reported vulnerabilities still persist.
> The security team has recommended upgrading the packages located in 
> {{/apache-hive-3.1.3-bin/lib}} (or equivalent in Hive 4.1.0) to their latest 
> versions. When we attempted to manually update these jars, Hive stopped 
> functioning properly due to dependency conflicts.
> Please advise on the recommended approach to resolve these vulnerabilities 
> without breaking Hive functionality. Should we upgrade the entire Hadoop 
> ecosystem or is there an official patch/fix available for these libraries?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)