oss-sec mailing list archives
[SECURITY] CVE-2018-11777: Blocking local resource access in HiveServer2
From: Daniel Dai <daijy () apache org>
Date: Wed, 7 Nov 2018 13:29:04 -0800
CVE-2018-11777: Blocking local resource access in HiveServer2 Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive, including 2.3.3, 3.1.0 and earlier Description: Local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. Mitigation: It is recommended to upgrade to 2.3.4 or 3.1.1 or later if HiveServer2 is used, and ranger, sentry or sql standard authorizer is not in use. Admin needs to specify the following entries in hiveserver2-site.xml: <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory</value> </property> FallbackHiveAuthorizerFactory will do the following to mitigate above mentioned threat: 1. Disallow local file location in sql statements except for admin 2. Allow "set" only selected whitelist parameters 3. Disallow dfs commands except for admin 4. Disallow "ADD JAR" statement 5. Disallow "COMPILE" statement 6. Disallow "TRANSFORM" statement Credit: This issue was discovered by Mithun Radhakrishnan of Oath Inc
Current thread:
- [SECURITY] CVE-2018-11777: Blocking local resource access in HiveServer2 Daniel Dai (Nov 08)