Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HIVE-27518: [2.3] Upgrade log4j2 from 2.17.0 to 2.17.2 #4505

Merged
merged 1 commit into from
Jul 27, 2023
Merged

HIVE-27518: [2.3] Upgrade log4j2 from 2.17.0 to 2.17.2 #4505

merged 1 commit into from
Jul 27, 2023

Conversation

pan3793
Copy link
Member

@pan3793 pan3793 commented Jul 20, 2023

What changes were proposed in this pull request?

Upgrade log4j2 from 2.17.0 to 2.17.2

Why are the changes needed?

CVE-2021-44832 - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Does this PR introduce any user-facing change?

No.

Is the change a dependency upgrade?

Yes, it's a patched version upgrade.

How was this patch tested?

Jenkins.

@pan3793
Copy link
Member Author

pan3793 commented Jul 27, 2023

ping @sunchao

@sunchao sunchao changed the title HIVE-27518. [2.3] Upgrade log4j2 from 2.17.0 to 2.17.2 HIVE-27518: [2.3] Upgrade log4j2 from 2.17.0 to 2.17.2 Jul 27, 2023
sunchao
sunchao approved these changes Jul 27, 2023
View reviewed changes
Copy link
Member

@sunchao sunchao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sunchao sunchao merged commit 419f51f into apache:branch-2.3 Jul 27, 2023
@sunchao
Copy link
Member

sunchao commented Jul 27, 2023

Merged, thanks!

Pierrotws pushed a commit to TOSIT-IO/hive that referenced this pull request Jan 13, 2024
@pan3793 @Pierrotws
HIVE-27518: [2.3] Upgrade log4j2 from 2.17.0 to 2.17.2 (apache#4505)
7d10043
Pierrotws pushed a commit to TOSIT-IO/hive that referenced this pull request Mar 22, 2024
@pan3793 @Pierrotws
HIVE-27518: [2.3] Upgrade log4j2 from 2.17.0 to 2.17.2 (apache#4505)
b172a69
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunchao sunchao sunchao approved these changes

Assignees
No one assigned
Labels
tests unstable
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pan3793 @sunchao @kgyrtkirk