From 0658c40206ba29e42a684637a74f138621f668e9 Mon Sep 17 00:00:00 2001 From: maltesander Date: Thu, 7 Nov 2024 15:06:55 +0100 Subject: [PATCH 1/3] fix (hive): CVE-2024-36114 --- CHANGELOG.md | 2 + ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++++++++++++++++ hive/stackable/patches/3.1.3/series | 1 + ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 hive/stackable/patches/3.1.3/12-CVE-2024-36114-bump-aircompressor-0-27.patch create mode 100644 hive/stackable/patches/4.0.0/04-CVE-2024-36114-bump-aircompressor-0-27.patch diff --git a/CHANGELOG.md b/CHANGELOG.md index 93a278f7f..e5a84c9ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ All notable changes to this project will be documented in this file. - spark: Add HBase connector ([#878], [#882]). - hbase: hbase-entrypoint.sh script to start and gracefully stop services ([#898]). - tools: install yq command line tool for YAML manipulation ([#912]). +- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#xxx]). ### Changed @@ -101,6 +102,7 @@ All notable changes to this project will be documented in this file. [#912]: https://github.com/stackabletech/docker-images/pull/912 [#913]: https://github.com/stackabletech/docker-images/pull/913 [#914]: https://github.com/stackabletech/docker-images/pull/914 +[#xxx]: https://github.com/stackabletech/docker-images/pull/xxx ## [24.7.0] - 2024-07-24 diff --git a/hive/stackable/patches/3.1.3/12-CVE-2024-36114-bump-aircompressor-0-27.patch b/hive/stackable/patches/3.1.3/12-CVE-2024-36114-bump-aircompressor-0-27.patch new file mode 100644 index 000000000..5c51a882a --- /dev/null +++ b/hive/stackable/patches/3.1.3/12-CVE-2024-36114-bump-aircompressor-0-27.patch @@ -0,0 +1,37 @@ +Fix CVE-2024-36114 +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index e36f1e64f0..7758f71859 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -93,6 +93,12 @@ + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + org.apache.orc + orc-core diff --git a/hive/stackable/patches/3.1.3/series b/hive/stackable/patches/3.1.3/series index e92178804..c05f5d512 100644 --- a/hive/stackable/patches/3.1.3/series +++ b/hive/stackable/patches/3.1.3/series @@ -10,3 +10,4 @@ 09-maven-warning.patch 10-postgres-driver.patch 11-cyclonedx-plugin.patch +12-CVE-2024-36114-bump-aircompressor-0-27.patch diff --git a/hive/stackable/patches/4.0.0/04-CVE-2024-36114-bump-aircompressor-0-27.patch b/hive/stackable/patches/4.0.0/04-CVE-2024-36114-bump-aircompressor-0-27.patch new file mode 100644 index 000000000..09561cf91 --- /dev/null +++ b/hive/stackable/patches/4.0.0/04-CVE-2024-36114-bump-aircompressor-0-27.patch @@ -0,0 +1,37 @@ +Fix CVE-2024-36114 +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 28ac5ceb65..8f2edd7b8e 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -120,6 +120,12 @@ + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + org.apache.orc + orc-core From 15b6e1d152e9e0047109a278dd0ed2646d2eaea2 Mon Sep 17 00:00:00 2001 From: maltesander Date: Thu, 7 Nov 2024 15:09:29 +0100 Subject: [PATCH 2/3] adapt changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5a84c9ba..ce1d808ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ All notable changes to this project will be documented in this file. - spark: Add HBase connector ([#878], [#882]). - hbase: hbase-entrypoint.sh script to start and gracefully stop services ([#898]). - tools: install yq command line tool for YAML manipulation ([#912]). -- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#xxx]). +- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#922]). ### Changed @@ -102,7 +102,7 @@ All notable changes to this project will be documented in this file. [#912]: https://github.com/stackabletech/docker-images/pull/912 [#913]: https://github.com/stackabletech/docker-images/pull/913 [#914]: https://github.com/stackabletech/docker-images/pull/914 -[#xxx]: https://github.com/stackabletech/docker-images/pull/xxx +[#922]: https://github.com/stackabletech/docker-images/pull/922 ## [24.7.0] - 2024-07-24 From 4dba73167165bb4412309ba939356da94dc86f83 Mon Sep 17 00:00:00 2001 From: maltesander Date: Thu, 7 Nov 2024 17:10:06 +0100 Subject: [PATCH 3/3] fix changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce1d808ad..eb6193da5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,6 @@ All notable changes to this project will be documented in this file. - spark: Add HBase connector ([#878], [#882]). - hbase: hbase-entrypoint.sh script to start and gracefully stop services ([#898]). - tools: install yq command line tool for YAML manipulation ([#912]). -- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#922]). ### Changed @@ -61,6 +60,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). +- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#922]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797