==================================================================== CERT-Renater Note d'Information No. 2018/VULN369 _____________________________________________________________________ DATE : 08/11/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Hive, HiveServer2 versions prior to 2.3.4, 3.1.1. ===================================================================== http://mail-archives.apache.org/mod_mbox/hive-user/201811.mbox/%3cCABDpyChoSC+O_whkL_7Zh4ZMiXf7qmWpKoa-hep0dS6MTnJYJA@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/hive-user/201811.mbox/%3cCABDpyCjx+GpPvEW1mreZPnqCmqBYmAVk3s5NUx4ZGnQKcj7aGg@mail.gmail.com%3e _____________________________________________________________________ CVE-2018-1314: Hive explain query not being authorized Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive, including 2.3.3, 3.1.0 and earlier Description: Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics. Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later _____________________________________________________________________ CVE-2018-11777: Blocking local resource access in HiveServer2 Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive, including 2.3.3, 3.1.0 and earlier Description: Local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. Mitigation: It is recommended to upgrade to 2.3.4 or 3.1.1 or later if HiveServer2 is used, and ranger, sentry or sql standard authorizer is not in use. Admin needs to specify the following entries in hiveserver2-site.xml: hive.security.authorization.enabled true hive.security.authorization.manager org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory FallbackHiveAuthorizerFactory will do the following to mitigate above mentioned threat: 1. Disallow local file location in sql statements except for admin 2. Allow "set" only selected whitelist parameters 3. Disallow dfs commands except for admin 4. Disallow "ADD JAR" statement 5. Disallow "COMPILE" statement 6. Disallow "TRANSFORM" statement Credit: This issue was discovered by Mithun Radhakrishnan of Oath Inc ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================