[
https://issues.apache.org/jira/browse/HIVE-27102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17838656#comment-17838656
]
Frank Grimes edited comment on HIVE-27102 at 3/29/25 7:11 PM:
--------------------------------------------------------------
Any update on this? I see that Hive 4.0.0 has recently been released but it
still uses calcite-1.25.0 which we believe is still vulnerable to the following:
- [CVE-2020-13955 - Missing Authentication for Critical Function in Apache
Calcite|https://nvd.nist.gov/vuln/detail/CVE-2020-13955]
- [CVE-2022-39135 -Apache Calcite before 1.32.0 vulnerable to potential XML
External Entity (XXE) attack|https://nvd.nist.gov/vuln/detail/CVE-2022-39135]
was (Author: frankgrimes97):
Any update on this? I see that Hive 4.0.0 has recently been released but it
still uses calcite-1.2.5 which we believe is still vulnerable to the following:
- [CVE-2020-13955 - Missing Authentication for Critical Function in Apache
Calcite|https://nvd.nist.gov/vuln/detail/CVE-2020-13955]
- [CVE-2022-39135 -Apache Calcite before 1.32.0 vulnerable to potential XML
External Entity (XXE) attack|https://nvd.nist.gov/vuln/detail/CVE-2022-39135]
> Upgrade Calcite to 1.33.0 and Avatica to 1.23.0
> -----------------------------------------------
>
> Key: HIVE-27102
> URL: https://issues.apache.org/jira/browse/HIVE-27102
> Project: Hive
> Issue Type: Improvement
> Components: CBO
> Reporter: Stamatis Zampetakis
> Assignee: Stamatis Zampetakis
> Priority: Major
> Labels: pull-request-available
>
> New versions for Calcite and Avatica are available so we should upgrade to
> them.
> I had some WIP in HIVE-26610 for upgrading calcite to 1.32.0 but given that
> the work was not in very advanced state it is preferred to jump directly to
> 1.33.0.
> Avatica must be inline with Calcite so both need to be updated at the same
> time.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
