[jira] [Updated] (HIVE-25054) Upgrade jodd-core due to CVE-2018-21234
[ https://issues.apache.org/jira/browse/HIVE-25054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chao Sun updated HIVE-25054: Fix Version/s: 2.3.10 > Upgrade jodd-core due to CVE-2018-21234 > --- > > Key: HIVE-25054 > URL: https://issues.apache.org/jira/browse/HIVE-25054 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Abhay >Assignee: Abhay >Priority: Major > Labels: pull-request-available > Fix For: 2.3.10, 4.0.0-alpha-1 > > > Hive makes use of 3.5.2 version of the `jodd-core` library which is > susceptible to CVE-2018-21234. Below is a description of that vulnerability. > CVE-2018-21234 suppress > Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when > setClassMetadataName is set. > CWE-502 Deserialization of Untrusted Data > CVSSv2: > Base Score: HIGH (7.5) > Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P > CVSSv3: > Base Score: CRITICAL (9.8) > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H > References: > MISC - > https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16MISC > - https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4MISC - > https://github.com/oblac/jodd/issues/628Vulnerable Software & Versions: > cpe:2.3:a:jodd:jodd:*:*:*:*:*:*:*:* versions up to (excluding) 5.0.4 > > This library needs to be upgraded. We use a couple of classes > `JDateTime`([https://github.infra.cloudera.com/CDH/hive/blob/cdpd-master/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java] > ) and `HtmlEncoder`, which have either been deprecated and/or have been > moved to a different package called jodd-util. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HIVE-25054) Upgrade jodd-core due to CVE-2018-21234
[ https://issues.apache.org/jira/browse/HIVE-25054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ASF GitHub Bot updated HIVE-25054: -- Labels: pull-request-available (was: ) > Upgrade jodd-core due to CVE-2018-21234 > --- > > Key: HIVE-25054 > URL: https://issues.apache.org/jira/browse/HIVE-25054 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Abhay >Assignee: Abhay >Priority: Major > Labels: pull-request-available > Fix For: 4.0.0-alpha-1 > > > Hive makes use of 3.5.2 version of the `jodd-core` library which is > susceptible to CVE-2018-21234. Below is a description of that vulnerability. > CVE-2018-21234 suppress > Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when > setClassMetadataName is set. > CWE-502 Deserialization of Untrusted Data > CVSSv2: > Base Score: HIGH (7.5) > Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P > CVSSv3: > Base Score: CRITICAL (9.8) > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H > References: > MISC - > https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16MISC > - https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4MISC - > https://github.com/oblac/jodd/issues/628Vulnerable Software & Versions: > cpe:2.3:a:jodd:jodd:*:*:*:*:*:*:*:* versions up to (excluding) 5.0.4 > > This library needs to be upgraded. We use a couple of classes > `JDateTime`([https://github.infra.cloudera.com/CDH/hive/blob/cdpd-master/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java] > ) and `HtmlEncoder`, which have either been deprecated and/or have been > moved to a different package called jodd-util. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HIVE-25054) Upgrade jodd-core due to CVE-2018-21234
[ https://issues.apache.org/jira/browse/HIVE-25054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhay updated HIVE-25054: - Affects Version/s: (was: 3.1.2) > Upgrade jodd-core due to CVE-2018-21234 > --- > > Key: HIVE-25054 > URL: https://issues.apache.org/jira/browse/HIVE-25054 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Abhay >Assignee: Abhay >Priority: Major > > Hive makes use of 3.5.2 version of the `jodd-core` library which is > susceptible to CVE-2018-21234. Below is a description of that vulnerability. > CVE-2018-21234 suppress > Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when > setClassMetadataName is set. > CWE-502 Deserialization of Untrusted Data > CVSSv2: > Base Score: HIGH (7.5) > Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P > CVSSv3: > Base Score: CRITICAL (9.8) > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H > References: > MISC - > https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16MISC > - https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4MISC - > https://github.com/oblac/jodd/issues/628Vulnerable Software & Versions: > cpe:2.3:a:jodd:jodd:*:*:*:*:*:*:*:* versions up to (excluding) 5.0.4 > > This library needs to be upgraded. We use a couple of classes > `JDateTime`([https://github.infra.cloudera.com/CDH/hive/blob/cdpd-master/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java] > ) and `HtmlEncoder`, which have either been deprecated and/or have been > moved to a different package called jodd-util. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
