You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Chao Sun <su...@apache.org> on 2015/05/22 01:31:17 UTC
CVE-2015-1772
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Hive from 0.11.0 to 1.0.0, and
1.1.0 .
Users affected: Users who use LDAP authentication mode in HiveServer2 and
also have LDAP configured to allow simple unauthenticated or anonymous bind.
Description:
LDAP services are sometimes configured to allow simple unauthenticated
binds.
When HiveServer2 is configured to use LDAP authentication mode
(hive.server2.authentication configuration parameter is set to LDAP),
with such LDAP configurations, it can allow users without proper credentials
to get authenticated.
This is more easily reproducible when Kerberos authentication is also
enabled
in the Apache Hadoop cluster.
Mitigation:
There are two options
1. Configure LDAP service to disallow unauthenticated binds. If the service
allows anonymous binds, not having hive authorization checks enabled can
also expose this vulnerability.
2. Update Hive installation to use an Authenticator with the fix. There are
two options here -
a. Users should upgrade to newer versions of Apache Hive with the
fix, which includes 1.0.1, 1.1.1 and 1.2.0 .
b. Users can download the ldap-fix.tar.gz being made available for
download from the Apache Hive downloads page and follow instructions
in the README.txt to use an LDAP authenticator that contains the fix
with your existing Hive release.
Credit:
Thanks to Thomas Rega of CareerBuilder for reporting this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVXmECAAoJEN3RdT/2ztzmBDsP/inSE3VaTc7gLJf03MbjtoBX
bxrnWGpJir7IVe1nrlj2WiD8i4m/TqG5OoHZB2ZCnVOKbjngh6Mq4ldXM4lzGemN
6aDYW6gIdplwhiiKoVeNrTISl38whPlNO9Kp8Y9nabSGFxBcngRIuWOq6KyOADra
PP9QMys7xB325JgrgEjS9Fxrtx8cGQK+cRDm/Fi5RCjQ0Q3VRmSKVzcbg2jDmyR/
38P67SlZm4w37Z8hrBKakTQ2ql2dkmCSjnlIQCB1dln4iLp6VR2S7sizeYSvk4aQ
86BqORYYwXAmWeUfhUBlbBbLmeicu4VTvhKB2wYkD2G0TBIqXk90GVf5mdwDLir0
gk0R+gfv6YF89pmFVFjwerkLozjKs43Vx5NjQz1IxCeXnoUOw5n6gVC1kFgvnL2o
SYIRqa0+nn1ARf9ssodzffnCsm3QGPMtgy3L+iBiWY6vfI+zgWBhOeFcnlNWieqV
epxn5Q5ojjlwAwKQ7irco3uULiBu+f/CIYq2ey4I8a8qNLHQRs9n850E/3MYaV5o
PmHdu2Gmuvj216fyS+5OuROAjFeuPPDq+qzRVOcISXnCfxzFjXL2PWvPc/RyMN1d
g82gMzwczv8EFhag5MdD5FMyqAxz8BKdeOaKk/QGPQG1XvlGqjuDKJYDCfsHI4F/
5mUttG40ky0zn3ONQAPC
=7NKg
-----END PGP SIGNATURE-----