www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chao Sun <sunc...@apache.org>
Subject CVE-2015-1772
Date Thu, 21 May 2015 23:31:17 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Hive from 0.11.0 to 1.0.0, and
1.1.0 .

Users affected: Users who use LDAP authentication mode in HiveServer2 and
also have LDAP configured to allow simple unauthenticated or anonymous bind.

Description:
LDAP services are sometimes configured to allow simple unauthenticated
binds.
When HiveServer2 is configured to use LDAP authentication mode
(hive.server2.authentication configuration parameter is set to LDAP),
with such LDAP configurations, it can allow users without proper credentials
to get authenticated.

This is more easily reproducible when Kerberos authentication is also
enabled
 in the Apache Hadoop cluster.

Mitigation:
There are two options
1. Configure LDAP service to disallow unauthenticated binds. If the service
 allows anonymous binds, not having hive authorization checks enabled can
 also expose this vulnerability.

2. Update Hive installation to use an Authenticator with the fix. There are
 two options here -
   a. Users should upgrade to newer versions of Apache Hive with the
      fix, which includes 1.0.1, 1.1.1 and 1.2.0 .
   b. Users can download the ldap-fix.tar.gz being made available for
      download from the Apache Hive downloads page and follow instructions
      in the README.txt to use an LDAP authenticator that contains the fix
      with your existing Hive release.

Credit:
Thanks to Thomas Rega of CareerBuilder for reporting this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVXmECAAoJEN3RdT/2ztzmBDsP/inSE3VaTc7gLJf03MbjtoBX
bxrnWGpJir7IVe1nrlj2WiD8i4m/TqG5OoHZB2ZCnVOKbjngh6Mq4ldXM4lzGemN
6aDYW6gIdplwhiiKoVeNrTISl38whPlNO9Kp8Y9nabSGFxBcngRIuWOq6KyOADra
PP9QMys7xB325JgrgEjS9Fxrtx8cGQK+cRDm/Fi5RCjQ0Q3VRmSKVzcbg2jDmyR/
38P67SlZm4w37Z8hrBKakTQ2ql2dkmCSjnlIQCB1dln4iLp6VR2S7sizeYSvk4aQ
86BqORYYwXAmWeUfhUBlbBbLmeicu4VTvhKB2wYkD2G0TBIqXk90GVf5mdwDLir0
gk0R+gfv6YF89pmFVFjwerkLozjKs43Vx5NjQz1IxCeXnoUOw5n6gVC1kFgvnL2o
SYIRqa0+nn1ARf9ssodzffnCsm3QGPMtgy3L+iBiWY6vfI+zgWBhOeFcnlNWieqV
epxn5Q5ojjlwAwKQ7irco3uULiBu+f/CIYq2ey4I8a8qNLHQRs9n850E/3MYaV5o
PmHdu2Gmuvj216fyS+5OuROAjFeuPPDq+qzRVOcISXnCfxzFjXL2PWvPc/RyMN1d
g82gMzwczv8EFhag5MdD5FMyqAxz8BKdeOaKk/QGPQG1XvlGqjuDKJYDCfsHI4F/
5mUttG40ky0zn3ONQAPC
=7NKg
-----END PGP SIGNATURE-----

Mime
View raw message