fix (hive): CVE-2024-36114 (#922)

maltesander · web-flow · commit ec343c0ba3e3 · 2024-11-12T10:49:57.000Z
* fix (hive): CVE-2024-36114 * adapt changelog * fix changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -66,6 +66,7 @@ All notable changes to this project will be documented in this file.
 - spark: Fix CVE-2024-36114 in Spark 3.5.1 by upgrading a dependency.
   Spark 3.5.2 is not affected. ([#921])
 - trino: Correctly report Trino version ([#881]).
+- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#922]).
 - hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]).
 - druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]).
 
@@ -113,6 +114,7 @@ All notable changes to this project will be documented in this file.
 [#919]: https://github.com/stackabletech/docker-images/pull/919
 [#920]: https://github.com/stackabletech/docker-images/pull/920
 [#921]: https://github.com/stackabletech/docker-images/pull/921
+[#922]: https://github.com/stackabletech/docker-images/pull/922
 [#925]: https://github.com/stackabletech/docker-images/pull/925
 [#926]: https://github.com/stackabletech/docker-images/pull/926
 
diff --git a/hive/stackable/patches/3.1.3/12-CVE-2024-36114-bump-aircompressor-0-27.patch b/hive/stackable/patches/3.1.3/12-CVE-2024-36114-bump-aircompressor-0-27.patch
@@ -0,0 +1,37 @@
+Fix CVE-2024-36114
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index e36f1e64f0..7758f71859 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -93,6 +93,12 @@
+   </properties>
+ 
+   <dependencies>
++    <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++    <dependency>
++      <groupId>io.airlift</groupId>
++      <artifactId>aircompressor</artifactId>
++      <version>0.27</version>
++    </dependency>
+     <dependency>
+       <groupId>org.apache.orc</groupId>
+       <artifactId>orc-core</artifactId>
diff --git a/hive/stackable/patches/3.1.3/series b/hive/stackable/patches/3.1.3/series
@@ -10,3 +10,4 @@
 09-maven-warning.patch
 10-postgres-driver.patch
 11-cyclonedx-plugin.patch
+12-CVE-2024-36114-bump-aircompressor-0-27.patch
diff --git a/hive/stackable/patches/4.0.0/04-CVE-2024-36114-bump-aircompressor-0-27.patch b/hive/stackable/patches/4.0.0/04-CVE-2024-36114-bump-aircompressor-0-27.patch
@@ -0,0 +1,37 @@
+Fix CVE-2024-36114
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 28ac5ceb65..8f2edd7b8e 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -120,6 +120,12 @@
+   </properties>
+   <dependencyManagement>
+     <dependencies>
++      <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++      <dependency>
++        <groupId>io.airlift</groupId>
++        <artifactId>aircompressor</artifactId>
++        <version>0.27</version>
++      </dependency>
+       <dependency>
+         <groupId>org.apache.orc</groupId>
+         <artifactId>orc-core</artifactId>
