Details
-
Bug
-
Status: Triage Needed
-
P2
-
Resolution: Unresolved
-
2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0
-
None
Description
beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog, transitively) declare a Provided dependency on org.apache.hive:hive-exec. Users are expected to include a version of those libraries on their classpath when using these Beam artifacts.
However, at this time Hive has not yet made a release that bumps its log4j dependency >= 2.16.0 for CVE-2021-44228. This is ready for Hive 4.0 (HIVE-25795), whenever it is released. Ideally for Beam it would be backported to 2.x (HIVE-25824) as well.
In the meantime, users of beam-sdks-java-io-hcatalog (and beam-sdks-java-extensions-sql-hcatalog) should take care to override the transitive log4j dependency when they add a hive dependency. See https://blog.gradle.org/log4j-vulnerability for advice on how to safely configure a gradle build.
Beam currently continuously tests these artifacts with log4j 2.17.0.