====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN097
_____________________________________________________________________

DATE                : 26/05/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Hive versions prior to
                        1.0.1, 1.1.1, 1.2.0.

======================================================================
http://mail-archives.us.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q@mail.gmail.com%3E
______________________________________________________________________

CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Hive from 0.11.0 to 1.0.0, and
1.1.0 .

Users affected: Users who use LDAP authentication mode in HiveServer2
and also have LDAP configured to allow simple unauthenticated or
anonymous bind.

Description:
LDAP services are sometimes configured to allow simple unauthenticated
binds.

When HiveServer2 is configured to use LDAP authentication mode
(hive.server2.authentication configuration parameter is set to LDAP),
with such LDAP configurations, it can allow users without proper
credentials to get authenticated.

This is more easily reproducible when Kerberos authentication is also
enabled  in the Apache Hadoop cluster.

Mitigation:
There are two options
1. Configure LDAP service to disallow unauthenticated binds. If the
service allows anonymous binds, not having hive authorization checks
enabled can also expose this vulnerability.

2. Update Hive installation to use an Authenticator with the fix. There
are two options here -
   a. Users should upgrade to newer versions of Apache Hive with the
      fix, which includes 1.0.1, 1.1.1 and 1.2.0 .
   b. Users can download the ldap-fix.tar.gz being made available for
      download from the Apache Hive downloads page and follow
      instructions in the README.txt to use an LDAP authenticator that
      contains the fix with your existing Hive release.

Credit:
Thanks to Thomas Rega of CareerBuilder for reporting this issue.

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================