Comments (6)
mricken
commented on June 16, 2024
To be a little bit more verbose: In your pom.xml file, you can add direct dependencies on log4j version 2.17.0 or newer.
<dependencies>
<!-- ... -->
<dependency>
<groupId>com.oracle.oci.sdk</groupId>
<artifactId>oci-hdfs-connector</artifactId>
<version>3.3.1.0.0.0</version>
</dependency>
<!-- Add these with version 2.17.0 or newer -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.17.0</version>
</dependency>
<!-- ... -->
</dependencies>
(Comment updated to reflect that CVE-2021-45046 requires upgrading to 2.17.0 or newer.)
from oci-hdfs-connector.
mricken
commented on June 16, 2024
It looks like the fix in 2.15.0 was incomplete, and that everyone should upgrade to 2.16.0.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
from oci-hdfs-connector.
y-chandra
commented on June 16, 2024
We've updated the version of log4j dependencies to 2.16.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.2.0). The latest version is available via github source/releases and maven to download and use.
from oci-hdfs-connector.
y-chandra
commented on June 16, 2024
Another vulnerability was discovered in version 2.16.0 of log4j that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This vulnerability has been published as CVE-2021-45105. We're working on releasing a new version of the OCI HDFS Connector with log4j version 2.17.0 that has the fix for the aforementioned vulnerability.
from oci-hdfs-connector.
y-chandra
commented on June 16, 2024
We've updated the version of log4j dependencies to 2.17.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.3.0). The latest version is available via github source/releases and maven to download and use.
from oci-hdfs-connector.
jodoglevy
commented on June 16, 2024
This issue is now resolved -- however, we will leave this GitHub issue open for awareness purposes.
from oci-hdfs-connector.
Related Issues (20)
- How to configure the filesystem implementation in spark configuration HOT 2
- BmcDataStore -> rename is not thread safe. throwing java.io.IOException: Unable to perform rename HOT 2
- OCI configurations get ignored in pyspark HOT 1
- The content type is not supported HOT 2
- Pyspark py4j.protocol.Py4JJavaError: An error occurred while calling o95.csv. HOT 3
- Missing fs.oci.buffer.dir HOT 5
- Support for Apache Flink HOT 2
- Add shading logic used to create oci-hdfs-full-<version>.jar HOT 4
- Potential data corruption issue for OCI HDFS Connector with RefreshableOnNotAuthenticatedProvider HOT 1
- There is a vulnerability in guava 28.0-jre,upgrade recommended HOT 1
- ls: Unable to fetch file status for HDFS, connector version: 3.3.0.3 HOT 1
- BmcDataStore -> renameDirectory fails to rename when a file has special characters(*,$,^,?,+,|) HOT 3
- hive external table of OCI object storage , run select count(*) return error : No FileSystem for scheme "oci" HOT 4
- presto access hive OCI object external table failed. return Unable to extract password HOT 6
- Full รผber jar contains unshaded problematic third party libraries HOT 3
- Closing stream and read fails, possible stale connection on upgrade from 3.2.1.3 to 3.3.0.7.0.1 with Jersey connector HOT 10
- `ArrayIndexOutOfBoundsException` in read-ahead mode HOT 4
- OCI HDFS connector in read-ahead mode doesn't emit `bytesRead` input metric HOT 6
- Problem with certificates HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oci-hdfs-connector.