janjwerner-confluent
commented
1 year ago David, Thank you for reaching out. We are aware of this issue, unfortunately Hive version 3.1.3 is not compatible with HDFS2. We have performed an analysis of this flaw and to our best knowledge, this vulnerability is not exploitable in the context of HDFS2 connector.
shotuco
Hi all,
HDFS 2 connector (version 10.1.14 ) is using the 2.3.9 version of the Hive library. There is a HIGH vulnerability in that Hive library version (see https://nvd.nist.gov/vuln/detail/CVE-2021-34538 )
That vulnerability has been fixed in Hive library 3.1.3 version in the following ticket https://issues.apache.org/jira/browse/HIVE-25468 . Looking at that ticket, we can see the following comment ( 20/Oct ):
this patch is only present in 4.x and 3.1 branches. I don't think we would backport this patch to the Hive-2.3 branch because it is not currently actively managed.
I wonder if Hive library 3.1.3 version is compatible with HDFS 2.X (I think it is not, looking at link https://docs.qubole.com/en/latest/user-guide/engines/hive/use-hive-versions.html )
Any of you know how this vulnerability will be addressed in HDFS 2 connector?
Thanks, David