HIVE-25824: Upgrade log4j dependencies to 2.17.0 #2908

elukey · 2021-12-23T11:00:16Z

What changes were proposed in this pull request?

This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j.

How was this patch tested?

The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
More info apache/bigtop#844

elukey · 2021-12-23T11:00:40Z

Running mvn clean install leads me to:

[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskSchedulerService
[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.385 s - in org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskSchedulerService
[INFO] Running org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskCommunicator
[ERROR] Tests run: 2, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.075 s <<< FAILURE! - in org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskCommunicator
[ERROR] org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskCommunicator.testFinishableStateUpdateFailure  Time elapsed: 1.025 s  <<< ERROR!
java.lang.NullPointerException
	at org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos$SignableVertexSpec$Builder.setUser(LlapDaemonProtocolProtos.java:4842)
	at org.apache.hadoop.hive.llap.tez.Converters.constructSignableVertexSpec(Converters.java:135)
	at org.apache.hadoop.hive.llap.tezplugins.LlapTaskCommunicator.constructSubmitWorkRequest(LlapTaskCommunicator.java:726)
	at org.apache.hadoop.hive.llap.tezplugins.LlapTaskCommunicator.registerRunningTaskAttempt(LlapTaskCommunicator.java:334)
	at org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskCommunicator$LlapTaskCommunicatorWrapperForTest.registerRunningTaskAttemptWithSourceVertex(TestLlapTaskCommunicator.java:336)
	at org.apache.hadoop.hive.llap.tezplugins.TestLlapTaskCommunicator.testFinishableStateUpdateFailure(TestLlapTaskCommunicator.java:142)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.FailOnTimeout$StatementThread.run(FailOnTimeout.java:74)

This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.

elukey · 2021-12-23T15:47:12Z

If anybody could help/chime-in I'd be grateful, I think that the errors pointed out above is unrelated to my change (not sure about the one that Travis is complaining about thought).

Edit: I verified and the above test leads to the same failure even without my commit..

sunchao · 2021-12-23T17:19:04Z

@elukey yes, branch-2.3 currently has a bunch of flaky tests which your PR is probably unrelated.

elukey · 2021-12-29T09:57:27Z

@sunchao how should we proceed with this pull request?

sunchao · 2022-01-07T23:29:41Z

Sorry for the late reply @elukey ! it seems the CI run failed due to timeout. Let me re-trigger it first.

sunchao

LGTM. I checked the test results and all the failures are known ones.

sunchao · 2022-01-13T06:06:07Z

Merged to branch-2.3, thanks @elukey !

elukey · 2022-01-13T09:40:52Z

@sunchao thanks a lot for your support! Is there any chance to get a new release in the future?

sunchao · 2022-01-13T18:25:29Z

@elukey yes I'll try to start a new release for branch-2.3 soon, perhaps in a few weeks.

Gingernaut · 2022-01-18T22:05:44Z

@sunchao any updates on when a 3.x branch update might be released? Seems the last release was July 2020, and with the log4j vulnerability it seems it would be a high priority fix to publish a new version for.

sunchao · 2022-01-18T22:08:12Z

@Gingernaut I believe Naveen is planning to make a 3.x release soon. You can subscribe to https://issues.apache.org/jira/browse/HIVE-25855 for the latest update.

vrao91 · 2022-02-21T04:02:06Z

When checking the version of hive, it's still showing 2.3.6.

bin/hive --version

Hive 2.3.6-amzn-0
Git git://<ip-address>/workspace/workspace/bigtop.release-rpm-5.28.1/build/hive/rpm/BUILD/apache-hive-2.3.6-amzn-0-src -r a3b61461af0d6b4d981c915b0a1f342464987aaa

Compiled by ec2-user on Sat Dec 14 09:17:06 UTC 2019
From source with checksum 308f8d79fe62254ef0c65ed73f5847ca

Any ideas?

sunchao · 2022-02-21T16:51:36Z

Hive 2.3.6-amzn-0? is not official Apache release though. Where did get it?

This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.

kgyrtkirk added the tests pending label Dec 23, 2021

HIVE-25824: Upgrade log4j dependencies to 2.17.0

3c6d5f4

This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.

elukey force-pushed the branch-2.3 branch from 1218b03 to 3c6d5f4 Compare December 23, 2021 11:03

kgyrtkirk added tests failed and removed tests pending labels Dec 23, 2021

kgyrtkirk added tests pending and removed tests failed labels Dec 23, 2021

kgyrtkirk added tests failed and removed tests pending labels Dec 23, 2021

kgyrtkirk added tests pending tests unstable and removed tests failed tests pending labels Jan 7, 2022

sunchao approved these changes Jan 12, 2022

View reviewed changes

sunchao changed the title ~~[WIP] HIVE-25824: Upgrade log4j dependencies to 2.17.0~~ HIVE-25824: Upgrade log4j dependencies to 2.17.0 Jan 13, 2022

sunchao merged commit 7b7e8d4 into apache:branch-2.3 Jan 13, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HIVE-25824: Upgrade log4j dependencies to 2.17.0 #2908

HIVE-25824: Upgrade log4j dependencies to 2.17.0 #2908

elukey commented Dec 23, 2021

elukey commented Dec 23, 2021

elukey commented Dec 23, 2021 •

edited

sunchao commented Dec 23, 2021

elukey commented Dec 29, 2021

sunchao commented Jan 7, 2022

sunchao left a comment

sunchao commented Jan 13, 2022

elukey commented Jan 13, 2022

sunchao commented Jan 13, 2022

Gingernaut commented Jan 18, 2022

sunchao commented Jan 18, 2022

vrao91 commented Feb 21, 2022

sunchao commented Feb 21, 2022

HIVE-25824: Upgrade log4j dependencies to 2.17.0 #2908

HIVE-25824: Upgrade log4j dependencies to 2.17.0 #2908

Conversation

elukey commented Dec 23, 2021

What changes were proposed in this pull request?

How was this patch tested?

elukey commented Dec 23, 2021

elukey commented Dec 23, 2021 • edited

sunchao commented Dec 23, 2021

elukey commented Dec 29, 2021

sunchao commented Jan 7, 2022

sunchao left a comment

Choose a reason for hiding this comment

sunchao commented Jan 13, 2022

elukey commented Jan 13, 2022

sunchao commented Jan 13, 2022

Gingernaut commented Jan 18, 2022

sunchao commented Jan 18, 2022

vrao91 commented Feb 21, 2022

sunchao commented Feb 21, 2022

elukey commented Dec 23, 2021 •

edited