Xing Wei created HIVE-27510:
-------------------------------
Summary: Security vulnerability of hive-exec's dependency of
Parquet-MR
Key: HIVE-27510
URL: https://issues.apache.org/jira/browse/HIVE-27510
Project: Hive
Issue Type: Bug
Components: Hive
Affects Versions: All Versions
Reporter: Xing Wei
Hi, so there's a Parquet-MR security vulnerability reported in this [CVE
link|[CVE - CVE-2021-41561
(mitre.org)|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41561]].
Given Parquet-MR is also a direct dependency of hive-exec, this impacts users
who are leveraging this particular JAR package to achieve Parquet read and
write capabilities.
The latest stable release of hive-exec is 3.1.3. And according to its Maven POM
file, the version of Parquet-MR lib that gets packaged is 1.10.0. To address
the security issue, the version needs to be upraded to 1.12.2 or 1.11.2.
We believe security is of upmost priority, which is why the priority is marked
as critical. We've been using hive-exec to serve our customers in
Parquet-related workloads in production. Please let us know if there's any plan
to upgrade Parquet-MR in the near future.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
