[
https://issues.apache.org/jira/browse/HIVE-25804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459803#comment-17459803
]
Zoltan Haindrich commented on HIVE-25804:
-----------------------------------------
because most recent vulnerability is only evadable by removing the "bad"
jndilookup class - I think the biggest problem people are facing is identifying
the jars which should be looked at; the following one liner script looks into
all jars from the current directory - and lists affected jars
{code}
pat=org/apache/logging/log4j/core/lookup/JndiLookup.class
mc=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class && find
. -name '*.jar'|xargs -n1 -IJAR unzip -t JAR |fgrep -f <(echo "$pat";echo
'Archive:')|grep -B1 "$pat"|grep '^Archive:'|cut -d '/' -f2-|xargs -n1 -IJAR
bash -c 'unzip -p JAR $mc|md5sum|paste - <(echo JAR)'|fgrep -vf <(echo
374fa1c796465d8f542bb85243240555 )
{code}
it only lists them - you should still run the removal command on the jars
manually
{code}
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
{code}
> Update log4j2 version to 2.16.0 to incorporate further CVE-2021-44228
> hardening
> -------------------------------------------------------------------------------
>
> Key: HIVE-25804
> URL: https://issues.apache.org/jira/browse/HIVE-25804
> Project: Hive
> Issue Type: Bug
> Components: Logging
> Reporter: Csaba Juhász
> Assignee: Csaba Juhász
> Priority: Major
> Labels: pull-request-available
> Fix For: 4.0.0
>
> Attachments: HIVE-25804.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
--
This message was sent by Atlassian Jira
(v8.20.1#820001)