Apache Hive Fixes Vulnerability

Tuesday, May 26, 2015 @ 03:05 PM gHale


Under certain conditions, it would be possible to exploit a vulnerability in the HiveServer2 interface for Apache Hive enterprise data warehouse infrastructures.

HiveServer2 is a server interface that allows for interaction with remote clients, which permits running queries in Hive and viewing the results. It has support for multiple client authentication.

RELATED STORIES
PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole
Apache Fixes Message Broker Software
Cisco Video Conference Vulnerabilities

Apache Hive software enables searching through huge datasets stored in distributed locations. Initially, it was a subproject of Hadoop data management platform, but it developed into a standalone product.

The authentication vulnerability, which has a case number of CVE-2015-1772, affects all versions of Hive from 0.11.0 through 1.0.0, as well as 1.1.0.

It represents a risk only to users who rely on the LDAP (Lightweight Directory Access Protocol) authentication mode in HiveServer2 and the configuration permits simple unauthenticated or anonymous binds. If this is the case, users without proper credentials can end up authenticated.

The security advisory said the issue can end up reproduced more easily when the Kerberos authentication mode is on in the Apache Hadoop cluster.

Eliminating the issue can occur in two ways: updating to a new release that includes a patch, or disabling unauthenticated binds in the LDAP service.

The advisory said if the user chooses the second option, authorization checks need to end up activated when the service allows anonymous binds, otherwise the vulnerability remains exploitable.

Patching the flaw can happen by upgrading to Apache Hive 1.0.1, 1.1.1 and 1.2.0, or by applying the standalone version (ldap-fix.tar.gz) available for download from the Apache Hive download page.

Thomas Rega at CareerBuilder job finding online service discovered the vulnerability. The severity of the flaw is important, but there are no technical details available.



Leave a Reply

You must be logged in to post a comment.