====================================================================
CERT-Renater
Note d'Information No. 2018/VULN369
_____________________________________________________________________
DATE : 08/11/2018
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running Hive, HiveServer2 versions prior to
2.3.4, 3.1.1.
=====================================================================
http://mail-archives.apache.org/mod_mbox/hive-user/201811.mbox/%3cCABDpyChoSC+O_whkL_7Zh4ZMiXf7qmWpKoa-hep0dS6MTnJYJA@mail.gmail.com%3e
http://mail-archives.apache.org/mod_mbox/hive-user/201811.mbox/%3cCABDpyCjx+GpPvEW1mreZPnqCmqBYmAVk3s5NUx4ZGnQKcj7aGg@mail.gmail.com%3e
_____________________________________________________________________
CVE-2018-1314: Hive explain query not being authorized
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: This vulnerability affects all versions of Hive,
including 2.3.3, 3.1.0 and earlier
Description: Hive "EXPLAIN" operation does not check for necessary
authorization of involved entities in a query. An unauthorized user
can do "EXPLAIN" on arbitrary table or view and expose table metadata
and statistics.
Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later
_____________________________________________________________________
CVE-2018-11777: Blocking local resource access in HiveServer2
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: This vulnerability affects all versions of Hive,
including 2.3.3, 3.1.0 and earlier
Description: Local resources on HiveServer2 machines are not properly
protected against malicious user if ranger, sentry or sql standard
authorizer is not in use.
Mitigation: It is recommended to upgrade to 2.3.4 or 3.1.1 or later if
HiveServer2 is used, and ranger, sentry or sql standard authorizer
is not in use. Admin needs to specify the following entries in
hiveserver2-site.xml:
hive.security.authorization.enabled
true
hive.security.authorization.manager
org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory
FallbackHiveAuthorizerFactory will do the following to mitigate above
mentioned threat:
1. Disallow local file location in sql statements except for admin
2. Allow "set" only selected whitelist parameters
3. Disallow dfs commands except for admin
4. Disallow "ADD JAR" statement
5. Disallow "COMPILE" statement
6. Disallow "TRANSFORM" statement
Credit: This issue was discovered by Mithun Radhakrishnan of Oath Inc
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================