Uploaded image for project: 'Bigtop'
  1. Bigtop
  2. BIGTOP-3621

Bump Oozie's log4j dependencies to 2.17.0

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.5.0, 3.0.0
    • 1.5.1
    • None
    • None

    Description

      In Bigtop 1.5 Oozie seems to include log4j 2.6.x jars:

      $ dpkg -L oozie | egrep *log4j.*2.6.*
/usr/lib/oozie/lib/log4j-api-2.6.2.jar
/usr/lib/oozie/lib/log4j-core-2.6.2.jar
/usr/lib/oozie/lib/log4j-slf4j-impl-2.6.2.jar
/usr/lib/oozie/lib/log4j-web-2.6.2.jar

      On vanilla Oozie branch-4.3's dependency:tree I can find a reference to the lib, but from the Bigtop's build log it seems pulled in by the hcatalog pom.xml.

      I quickly tried to exclude the log4j dependency and it worked (no extra log4j jars in the .deb), but it is probably not the right fix since the hive dependencies may need a more up-to-date log4j version.

      We should also review Oozie's 5.x version for Bigtop 3.x

      Attachments

        Issue Links

          relates to

          Sub-task - The sub-task of the issue BIGTOP-3613 Review log4j configurations for CVE-2021-44228

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              elukey Luca Toscano
              elukey Luca Toscano
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h
                  3h