[
https://issues.apache.org/jira/browse/HIVE-28697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910668#comment-17910668
]
Basapuram Kumar commented on HIVE-28697:
----------------------------------------
PR - [https://github.com/apache/hive/pull/5599]
> Upgrade jetty to 9.4.56.v20240826 due to CVE's
> -----------------------------------------------
>
> Key: HIVE-28697
> URL: https://issues.apache.org/jira/browse/HIVE-28697
> Project: Hive
> Issue Type: Improvement
> Affects Versions: 4.0.0
> Reporter: Basapuram Kumar
> Assignee: Basapuram Kumar
> Priority: Major
> Labels: pull-request-available
>
> Bumping up jetty to 9.4.56.v20240826 due to CVE-2024-8184
> As per this [CVE-2024-8184|[https://nvd.nist.gov/vuln/detail/CVE-2024-8184],]
> CVE-2024-8184 Description
> {code:java}
> There exists a security vulnerability in Jetty's
> ThreadLimitHandler.getRemote() which can be exploited by unauthorized users
> to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted
> requests, attackers can trigger OutofMemory errors and exhaust the server's
> memory. {code}
>
>
> Current *jetty* version: *9.4.45.v20220203.*
> This CVE affected from 9.3.12, upto 9.4.55, and its *Fixed in 9.4.56*
> So suggested to upgrade hive's *jetty* to *9.4.56.v20240826*
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
