drill icon indicating copy to clipboard operation
drill copied to clipboard

Published 20 hours ago verified publisher icon apache

CVE-2018-21234 in Hive 3.1.3, should upgrade to 4.0.0

Open ssainz opened this issue 3 years ago • 3 comments

Describe the bug CVE-2018-21234 in Hive 3.1.2

To Reproduce See also https://issues.apache.org/jira/browse/HIVE-25054

Expected behavior Upgrade to Hive 4.0.0

ssainz avatar Aug 11 '21 01:08 ssainz

Hive has been upgraded to 3.1.3. Hive 4.0.0. is still in alpha.

jnturton avatar Feb 22 '23 06:02 jnturton

Hello @jnturton , Hive 3.1.3 is vulnerable to CVE-2018-21234.

Please see the pom.xml of Hive 3.1.3:

<jodd.version>3.5.2</jodd.version>

And, please see Jodd version 3.5.2 is still vulnerable to CVE-2018-21234: https://nvd.nist.gov/vuln/detail/CVE-2018-21234

Because Drill -> uses Hive 3.1.3 -> uses Jodd 3.5.2 that is vulnerable, thus, Drill is vulnerable to CVE-2018-21234.

Could you please reopen? Should I create a new defect?

ssainz avatar Mar 13 '23 02:03 ssainz

Ah, thanks. I guess we'll have to wait for a bug fix release or the release of 4.0.0 then.

jnturton avatar Mar 13 '23 05:03 jnturton