diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b1fd725c..10253ea1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,13 +22,18 @@ All notable changes to this project will be documented in this file.
 
 - kafka: Remove `kubectl`, as we are now using listener-op ([#884]).
 
+### Fixed
+
+- hive: Fix CVE-2023-34455 in Hive 4.0.0 by excluding snappy-java from the build ([#929])
+
+[#943]: https://github.com/stackabletech/docker-images/pull/943
 [#884]: https://github.com/stackabletech/docker-images/pull/884
 [#928]: https://github.com/stackabletech/docker-images/pull/928
-[#943]: https://github.com/stackabletech/docker-images/pull/943
 [#952]: https://github.com/stackabletech/docker-images/pull/952
 [#953]: https://github.com/stackabletech/docker-images/pull/953
 [#955]: https://github.com/stackabletech/docker-images/pull/955
 [#959]: https://github.com/stackabletech/docker-images/pull/959
+[#929]: https://github.com/stackabletech/docker-images/pull/929
 
 ## [24.11.0] - 2024-11-18
 
@@ -98,7 +103,6 @@ All notable changes to this project will be documented in this file.
 - nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
 - hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]).
 - druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]).
-- hbase: Fix CVE-2023-34455 in HBase `2.4.18` by upgrading a dependency. ([#934]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -148,7 +152,6 @@ All notable changes to this project will be documented in this file.
 [#924]: https://github.com/stackabletech/docker-images/pull/924
 [#925]: https://github.com/stackabletech/docker-images/pull/925
 [#926]: https://github.com/stackabletech/docker-images/pull/926
-[#934]: https://github.com/stackabletech/docker-images/pull/934
 
 ## [24.7.0] - 2024-07-24
 
diff --git a/hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch b/hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch
new file mode 100644
index 000000000..680098a2a
--- /dev/null
+++ b/hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch
@@ -0,0 +1,27 @@
+Fix CVE-2023-34455
+see https://github.com/stackabletech/vulnerabilities/issues/558
+and https://github.com/stackabletech/vulnerabilities/issues/862
+
+Exclude snappy-java 1.1.8 from the standalone-metastore artifact
+and use the version shipped with the Hadoop binaries patched by
+Stackable with https://github.com/stackabletech/docker-images/blob/main/hadoop/stackable/patches/3.3.6/007-snappy-cves-3.3.6.patch
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index cd34884e3b..9bcbdfe7f7 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -210,6 +210,14 @@
+         <artifactId>hadoop-common</artifactId>
+         <version>${hadoop.version}</version>
+         <exclusions>
++          <!-- Fix for CVE-2023-34455
++            snappy-java can be excluded since a newer version is packaged
++            with the Hadoop binaries.
++          -->
++          <exclusion>
++            <groupId>org.xerial.snappy</groupId>
++            <artifactId>snappy-java</artifactId>
++          </exclusion>
+           <exclusion>
+             <groupId>org.apache.zookeeper</groupId>
+             <artifactId>zookeeper</artifactId>