HIVE:25054 Upgrade jodd-core dependency to get rid of CVE-2018-21234
#2217
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
All of the util classes that were used have moved to jodd-util. Upgrading to 6.0.0 version of the jodd-util package.
achennagiri
commented
May 20, 2021
| calendar.get(Calendar.MONTH) + 1, //java calendar index starting at 1. | ||
| calendar.get(Calendar.DAY_OF_MONTH)); | ||
| calendar.get(Calendar.DAY_OF_MONTH), 0, 0, 0, 0); |
There was a problem hiding this comment.
This constructor call is not present in the newer code but we do the same essentially. We are setting the time to midnight(00:00:00:00) https://github.com/oblac/jodd/blob/v3.6.x/jodd-core/src/main/java/jodd/datetime/JDateTime.java#L895
jcamachor
approved these changes
May 21, 2021
nrg4878
pushed a commit
to nrg4878/hive
that referenced
this pull request
Feb 7, 2022
… (Abhay Chennagiri, reviewed by Jesus Camacho Rodriguez) Closes apache#2217
pan3793
pushed a commit
to pan3793/hive
that referenced
this pull request
Dec 7, 2023
… (Abhay Chennagiri, reviewed by Jesus Camacho Rodriguez) Closes apache#2217
pan3793
pushed a commit
to pan3793/hive
that referenced
this pull request
Mar 4, 2024
… (Abhay Chennagiri, reviewed by Jesus Camacho Rodriguez) Closes apache#2217
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All of the util classes that were used in Hive as part of
jodd-coredependency have moved to jodd-util.Upgrading to 6.0.0 version of the jodd-util package.
What changes were proposed in this pull request?
Hive uses a version of
jodd-coredependency directly that is susceptible to CVE-2018-21234. We need to upgrade this library to a more recent version but the higher versions don't exactly have the same classes and methods that Hive needs. There is a breaking change introduced in the library https://github.com/oblac/jodd/blob/master/CHANGELOG_v4.md#breaking-changes-1.Currently, we use the JDateTime class(
hive/ql/src/java/org/apache/hadoop/hive/ql/io/parquet/timestamp/NanoTimeUtils.java
Line 26 in 7b3ecf6
hive/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp
Line 35 in 7b3ecf6
The equivalent classes are JulianDate( https://github.com/oblac/jodd-util/blob/master/src/main/java/jodd/time/JulianDate.java) and HtmlEncoder(https://github.com/oblac/jodd-util/blob/03b045739cae2ddb4954c679739ef1c694d7f1e5/src/main/java/jodd/net/HtmlEncoder.java). The above two classes have been modified to use the below ones.
Note: The HTML Encoder class hasn't changed much in functionality except that one of the methods strict() has been renamed to text(). It pretty much does the same thing. The JulianDate class has changed a bit and this piece of code needs to be reviewed carefully.
Why are the changes needed?
We need this change to get rid of CVE https://nvd.nist.gov/vuln/detail/CVE-2018-21234
Below is a brief description of it
CVE-2018-21234 suppress
Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.
CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
MISC - oblac/jodd@9bffc39
MISC - oblac/jodd@v5.0.3...v5.0.4
MISC - oblac/jodd#628
Vulnerable Software & Versions:
cpe:2.3:a:jodd:jodd:::::::: versions up to (excluding) 5.0.4
Although, we don't make use of the vulnerable method in Hive, it's a good practice to keep the libraries up-to-date.
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Ran Pre-commit tests. Any suggestions to locally test this patch would be helpful.
Specifically the
TestParquetTimestampUtils. This test class has the methodtestJulianDay()which specifically tests the JulianDay number is correct or not.