Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Apache Thrift #19

Closed
redcatbear opened this issue Mar 15, 2021 · 1 comment · Fixed by #20
Closed

Update Apache Thrift #19

redcatbear opened this issue Mar 15, 2021 · 1 comment · Fixed by #20
Labels
bug Unwanted / harmful behavior

Comments

@redcatbear
Copy link

Situation

Dependabot reported the following CVE in the Apache Thrift dependency:

CVE-2020-13949
high severity
Vulnerable versions: >= 0.9.3, <= 0.13.0
Patched version: 0.14.0

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

https://github.com/exasol/hive-virtual-schema/security/dependabot/pom.xml/org.apache.thrift:libthrift/open

Acceptance Criteria

  • Apache Thrift dependency updated to 0.14.0 or later
@redcatbear redcatbear added the bug Unwanted / harmful behavior label Mar 15, 2021
@AnastasiiaSergienko
Copy link
Contributor

AnastasiiaSergienko commented Mar 15, 2021
edited
Loading

Here is a comment from our pom:

This dependency contains the vulnerability: https://ossindex.sonatype.org/vuln/0e739750-40a8-44bf-8cbc-776fcdd5e7f4?component-type=maven&component-name=org.apache.thrift.libthrift&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
But we can't exclude it because it's used in the integration test. Update is also not possible, the latest version is not compatible.

I've rechecked it again and the comment is correct, I can't update the dependency, integration test is broken after it

AnastasiiaSergienko added a commit that referenced this issue Mar 15, 2021
@AnastasiiaSergienko
* #19: Removed all Hive dependencies from pom.xml file and added runt…
4e8acfb 
…ime loading for Hive JDBC driver.
@AnastasiiaSergienko AnastasiiaSergienko mentioned this issue Mar 15, 2021
Merged
AnastasiiaSergienko added a commit that referenced this issue Mar 15, 2021
@AnastasiiaSergienko
* #19: Fixed review finding
afd8cff
AnastasiiaSergienko added a commit that referenced this issue Mar 15, 2021
@AnastasiiaSergienko
* #19: Removed all Hive dependencies from pom.xml file (#20)
9f7a246 
* #19: Removed all Hive dependencies from pom.xml file and added runtime loading for Hive JDBC driver.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Unwanted / harmful behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

* #19: Removed all Hive dependencies from pom.xml file exasol/hive-virtual-schema
3 participants
@redcatbear @chiaradiamarcelo @AnastasiiaSergienko