Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-3405

Reopened - The parquet-avro version used by flume is 1.4.1, which is vulnerabel.

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.9.0
    • 1.10.0
    • Node
    • None

    Description

      flume-ng-dist-1.9.0 requires the parquet-avro component, and the required version is as follows:

      <dependency>
          <groupId>com.twitter</groupId>
          <artifactId>parquet-avro</artifactId>
          <version>1.4.1</version>
      </dependency>

       

      The parquet-avro is maintained by apache from 1.6.0, but there are vulnerabilities with each version. There is also a vulnerability in parquet-avro version 1.4.1,as detailed : Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions. https://nvd.nist.gov/vuln/detail/CVE-2021-41561

      Do you have any good solutions?

      Attachments

        Issue Links

          is a clone of

          Improvement - An improvement or enhancement to an existing feature or task. FLUME-3403 The parquet-avro version used by flume is 1.4.1, which is vulnerabel.

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed
          supercedes

          Improvement - An improvement or enhancement to an existing feature or task. FLUME-3403 The parquet-avro version used by flume is 1.4.1, which is vulnerabel.

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              Unassigned Unassigned
              zhy-brian-online zhou yong
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: