[
https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15020695#comment-15020695
]
Reuben Kuhnert commented on HIVE-12469:
---------------------------------------
I hear you. I guess the issue is not so much where the jar comes from, but
rather the jar itself. If we are still using version {{3.2.1}} even if it comes
from the end user's machine, that will still contain the exploit. Is there a
reason we cant bump the version to {{3.2.2}}? Everything else looks good to me.
> Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address
> vulnerability
> ---------------------------------------------------------------------------------
>
> Key: HIVE-12469
> URL: https://issues.apache.org/jira/browse/HIVE-12469
> Project: Hive
> Issue Type: Bug
> Components: Build Infrastructure
> Reporter: Reuben Kuhnert
> Assignee: Reuben Kuhnert
> Priority: Blocker
> Attachments: HIVE-12469.patch
>
>
> Currently the commons-collections (3.2.1) library allows for invocation of
> arbitrary code through {{InvokerTransformer}}, need to bump the version of
> commons-collections from 3.2.1 to 3.2.2 to resolve this issue.
> Results of {{mvn dependency:tree}}:
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql ---
> [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT
> [INFO] +- com.google.guava:guava:jar:14.0.1:compile
> [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Packaging 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile
> [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile
> [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Common 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common ---
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile
> [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
> {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims,
> Shims Common, Shims Scheduler)
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant ---
> [INFO] | +- commons-collections:commons-collections:jar:3.1:compile
> {code}
> {code}
> [INFO]
>
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile
> [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
