IBM Support

Security Bulletin: Hortonworks Technical Alert: CVE-2018-1284, CVE-2018-1282, CVE-2018-1315 fixes for Hive

Created by Zach K Zakharian on
Published URL:
https://www.ibm.com/support/pages/node/569311
569311

Security Bulletin


Summary

IBM Technical Support would like to make you aware of a potential issue you may encounter.  Please review the details below and take action accordingly.

Vulnerability Details

COMPONENT: Hive/Hive2

VERSION: All HDP versions from HDP 1.0.0 to HDP 2.6.4

REFERENCE
: CVE-2018-1284

PROBLEM: Malicious user might use any xpath UDFs
(xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by
HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.

IMPACT:
Depending on configuration, Malicious users would be able to access unauthorized data by running select queries leveraging xpath UDFs defined above.

SOLUTION:
Users who use xpath UDFs in HiveServer2 and have hive.server2.enable.doAs=false can disable the vulnerable UDF usage by adding them to the current value of the config hive.server2.builtin.udf.blocklist (xpath,xpath_string,xpath_boolean,xpath_number,xpath_double,xpath_float,xpath_long,xpath_int,xpath_short)

Next maintenance release of HDP 2.6 and future major releases will have the fix included in them. You can also request for a Hotfix for your current version if necessary by opening a case with IBM Support.



COMPONENT
: Hive/Hive2

VERSION: All HDP versions from HDP 1.0.0 to HDP 2.6.4

REFERENCE
: CVE-2018-1282

PROBLEM
: This vulnerability in Hive allows carefully crafted arguments to be  used to bypass the argument escaping/cleanup that JDBC driver does in  PreparedStatement implementation.

IMPACT
:
If applications taking user input and setting that as arguments to Hive JDBC PreparedStatement are not escaping/cleaning up those arguments, it could be used to modify the actual query being run in unintended or malicious ways.

SOLUTION:
If you are on a affected release, and you have use cases where user input is set using in a Hive query, as arguments to JDBC PreparedStatement setBinaryStream or setString methods, you can take the following two actions in your Hive JDBC client code/application when dealing with user provided input in PreparedStatement:
1. Avoid passing user input PreparedStatement.setBinaryStream
2. Sanitize the user input for PreparedStatement.setString, by
replacing all occurrences of \' to '

Next maintenance release of HDP 2.6 and future major releases will have the fix included in them. You can also request for a Hotfix for your current version if necessary by opening a case with IBM Support.



COMPONENT: HiveServerInteractive (Hive2)

VERSION: All HDP versions from HDP 2.5.0 to HDP 2.6.4

REFERENCE
: CVE-2018-1315

PROBLEM: When 'COPY FROM FTP' statement is run using HPL/SQL extension to  Hive, a compromised/malicious FTP server can cause the file to be  written to an arbitrary location on the cluster where the command is  run from. This is because FTP client code in HPL/SQL does not verify the destination  location of the downloaded file. This does not affect hive  cli user and hiveserver2 user as HPLSQL is a separate command line  script and needs to be invoked differently.

IMPACT:
A compromised or malicious FTP server can cause file being copied using above “COPY FROM FTP” HPL/SQL command to be copied to an unintended location. Note that HPL/SQL is available in HDP 2.6 only as a “technical preview”.

SOLUTION:
You can disable HPL/SQL functionality by deleting the commandline tool (/usr/hdp/current/hive-server2-hive2/bin/hplsql).

Next maintenance release of HDP 2.6 and future major releases will have the fix included in them. You can also request for a Hotfix for your current version if necessary by opening a case with IBM Support.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZDBA","label":"Hortonworks Data Platform for IBM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg22015354