Description
flume-ng-dist-1.9.0 requires the parquet-avro component, and the required version is as follows:
<dependency>
<groupId>com.twitter</groupId>
<artifactId>parquet-avro</artifactId>
<version>1.4.1</version>
</dependency>
The parquet-avro is maintained by apache from 1.6.0, but there are vulnerabilities with each version. There is also a vulnerability in parquet-avro version 1.4.1,as detailed : Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions. https://nvd.nist.gov/vuln/detail/CVE-2021-41561
Do you have any good solutions?
Attachments
Issue Links
- is cloned by
-
FLUME-3405 Reopened - The parquet-avro version used by flume is 1.4.1, which is vulnerabel.
- Resolved
- is superceded by
-
FLUME-3405 Reopened - The parquet-avro version used by flume is 1.4.1, which is vulnerabel.
- Resolved