Security Bulletin
Summary
IBM Technical Support would like to make you aware of a potential issue you may encounter. Please review the details below and take action accordingly.
Vulnerability Details
COMPONENT: Hive/Hive2
VERSION: All HDP versions from HDP 1.0.0 to HDP 2.6.4
REFERENCE: CVE-2018-1284
PROBLEM: Malicious user might use any xpath UDFs
(xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by
HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.
IMPACT:
Depending on configuration, Malicious users would be able to access unauthorized data by running select queries leveraging xpath UDFs defined above.
SOLUTION:
Users who use xpath UDFs in HiveServer2 and have hive.server2.enable.doAs=false can disable the vulnerable UDF usage by adding them to the current value of the config hive.server2.builtin.udf.blocklist (xpath,xpath_string,xpath_boolean,xpath_number,xpath_double,xpath_float,xpath_long,xpath_int,xpath_short)
Next maintenance release of HDP 2.6 and future major releases will have the fix included in them. You can also request for a Hotfix for your current version if necessary by opening a case with IBM Support.
COMPONENT: Hive/Hive2
VERSION: All HDP versions from HDP 1.0.0 to HDP 2.6.4
REFERENCE: CVE-2018-1282
PROBLEM: This vulnerability in Hive allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.
IMPACT:
If applications taking user input and setting that as arguments to Hive JDBC PreparedStatement are not escaping/cleaning up those arguments, it could be used to modify the actual query being run in unintended or malicious ways.
SOLUTION:
If you are on a affected release, and you have use cases where user input is set using in a Hive query, as arguments to JDBC PreparedStatement setBinaryStream or setString methods, you can take the following two actions in your Hive JDBC client code/application when dealing with user provided input in PreparedStatement:
1. Avoid passing user input PreparedStatement.setBinaryStream
2. Sanitize the user input for PreparedStatement.setString, by
replacing all occurrences of \' to '
Next maintenance release of HDP 2.6 and future major releases will have the fix included in them. You can also request for a Hotfix for your current version if necessary by opening a case with IBM Support.
COMPONENT: HiveServerInteractive (Hive2)
VERSION: All HDP versions from HDP 2.5.0 to HDP 2.6.4
REFERENCE: CVE-2018-1315
PROBLEM: When 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user as HPLSQL is a separate command line script and needs to be invoked differently.
IMPACT:
A compromised or malicious FTP server can cause file being copied using above “COPY FROM FTP” HPL/SQL command to be copied to an unintended location. Note that HPL/SQL is available in HDP 2.6 only as a “technical preview”.
SOLUTION:
You can disable HPL/SQL functionality by deleting the commandline tool (/usr/hdp/current/hive-server2-hive2/bin/hplsql).
Next maintenance release of HDP 2.6 and future major releases will have the fix included in them. You can also request for a Hotfix for your current version if necessary by opening a case with IBM Support.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22015354