You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hive.apache.org by Daniel Dai <da...@apache.org> on 2018/11/07 21:24:03 UTC

[SECURITY] CVE-2018-1314: Hive explain query not being authorized

CVE-2018-1314: Hive explain query not being authorized

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: This vulnerability affects all versions of Hive,
including 2.3.3, 3.1.0 and earlier

Description: Hive "EXPLAIN" operation does not check for necessary
authorization of involved entities in a query. An unauthorized user
can do "EXPLAIN" on arbitrary table or view and expose table metadata
and statistics.

Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later

Re: [SECURITY] CVE-2018-1314: Hive explain query not being authorized

Posted by Thejas Nair <th...@gmail.com>.

Terry, Yes this is seen with SQL stardard authorization, Ranger and I
suppose Sentry based authorization as well.
Hive was not passing the table objects to the authorization plugin
implementations during authorization api calls.

On Wed, Nov 7, 2018 at 1:49 PM Terry <th...@gmail.com> wrote:
>
> Daniel - Is this happening when beeline security is enabled? Can you provide a link for more info on this?
>
> On Wed, Nov 7, 2018 at 14:25 Daniel Dai <da...@apache.org> wrote:
>>
>> CVE-2018-1314: Hive explain query not being authorized
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: This vulnerability affects all versions of Hive,
>> including 2.3.3, 3.1.0 and earlier
>>
>> Description: Hive "EXPLAIN" operation does not check for necessary
>> authorization of involved entities in a query. An unauthorized user
>> can do "EXPLAIN" on arbitrary table or view and expose table metadata
>> and statistics.
>>
>> Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later

Re: [SECURITY] CVE-2018-1314: Hive explain query not being authorized

Posted by Terry <th...@gmail.com>.

Daniel - Is this happening when beeline security is enabled? Can you
provide a link for more info on this?

On Wed, Nov 7, 2018 at 14:25 Daniel Dai <da...@apache.org> wrote:

> CVE-2018-1314: Hive explain query not being authorized
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: This vulnerability affects all versions of Hive,
> including 2.3.3, 3.1.0 and earlier
>
> Description: Hive "EXPLAIN" operation does not check for necessary
> authorization of involved entities in a query. An unauthorized user
> can do "EXPLAIN" on arbitrary table or view and expose table metadata
> and statistics.
>
> Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later
>