Date: Wed, 4 Apr 2018 15:06:09 -0700 From: Daniel Dai <daijy@...che.org> To: user@...e.apache.org, dev@...e.apache.org, announce@...che.org, security <security@...e.apache.org>, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions from 0.6.0 Description: Malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. Mitigation: Users who use xpath UDFs in HiveServer2 and hive.server2.enable.doAs=false are recommended to upgrade to 2.3.3, or update UDFXPathUtil.java to the head of branch-2.3 and rebuild hive-exec.jar: https://git1-us-west.apache.org/repos/asf?p=hive.git;a=blob;f=ql/src/java/org/apache/hadoop/hive/ql/udf/xml/UDFXPathUtil.java;hb=refs/heads/branch-2.3. If these functions are not being used at present, you can also disable its use by adding them to the value of the config hive.server2.builtin.udf.blacklist.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ