Date: Wed, 4 Apr 2018 15:04:17 -0700 From: Daniel Dai <daijy@...che.org> To: user@...e.apache.org, dev@...e.apache.org, announce@...che.org, security <security@...e.apache.org>, oss-security@...ts.openwall.com, The bear in Boulder <bgiles@...otesong.com> Subject: [SECURITY] CVE-2018-1282 JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned CVE-2018-1282: JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive JDBC driver from 0.7.1 Description: This vulnerability in Hive allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. Mitigation: It is recommended to upgrade prior version of Hive JDBC driver to 2.3.3. Note Hive JDBC driver is not backward compatible with HiveServer2, which means newer version of Hive JDBC driver may not talk to older version of HiveServer2. In particular, Hive JDBC driver 2.3.3 won't talk to HiveServer2 2.1.1 or prior. If user is using Hive code 2.1.1 or below they might need to upgrade all the Hive instances to 2.3.3. Alternative to the upgrade, is to take the follow two actions in your Hive JDBC client code/application when dealing with user provided input in PreparedStatement: 1. Avoid passing user input PreparedStatement.setBinaryStream 2. Sanitize the user input for PreparedStatement.setString, by replacing all occurrences of \' to ' Credit: This issue was discovered by Bear Giles of SnapLogic
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.