[SECURITY] CVE-2018-1315 'COPY FROM FTP' statement in HPL/SQL can write to arbitrary location if the FTP server is compromised
CVE-2018-1315: 'COPY FROM FTP' statement in HPL/SQL can write to arbitrary location if the FTP server is compromised Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Hive 2.1.0 to 2.3.2 Description: When 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user as hplsql is a separate command line script and needs to be invoked differently. Mitigation: User who use HPL/SQL with Hive 2.1.0 through 2.3.2 should upgrade to 2.3.3 which removes support for "COPY FROM FTP". Alternatively, the usage of HPL/SQL can be disabled through other means. Credit: This issue was discovered by Danny Grander of Snyk
[SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files
CVE-2018-1284: Hive UDF series UDFXPath allow users to pass carefully crafted XML to access arbitrary files Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions from 0.6.0 Description: Malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. Mitigation: Users who use xpath UDFs in HiveServer2 and hive.server2.enable.doAs=false are recommended to upgrade to 2.3.3, or update UDFXPathUtil.java to the head of branch-2.3 and rebuild hive-exec.jar: https://git1-us-west.apache.org/repos/asf?p=hive.git;a=blob;f=ql/src/java/org/apache/hadoop/hive/ql/udf/xml/UDFXPathUtil.java;hb=refs/heads/branch-2.3. If these functions are not being used at present, you can also disable its use by adding them to the value of the config hive.server2.builtin.udf.blacklist.
[SECURITY] CVE-2018-1282 JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned
CVE-2018-1282: JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive JDBC driver from 0.7.1 Description: This vulnerability in Hive allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. Mitigation: It is recommended to upgrade prior version of Hive JDBC driver to 2.3.3. Note Hive JDBC driver is not backward compatible with HiveServer2, which means newer version of Hive JDBC driver may not talk to older version of HiveServer2. In particular, Hive JDBC driver 2.3.3 won't talk to HiveServer2 2.1.1 or prior. If user is using Hive code 2.1.1 or below they might need to upgrade all the Hive instances to 2.3.3. Alternative to the upgrade, is to take the follow two actions in your Hive JDBC client code/application when dealing with user provided input in PreparedStatement: 1. Avoid passing user input PreparedStatement.setBinaryStream 2. Sanitize the user input for PreparedStatement.setString, by replacing all occurrences of \' to ' Credit: This issue was discovered by Bear Giles of SnapLogic
[ANNOUNCE] Apache Qpid Proton 0.22.0 released
The Apache Qpid (http://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid Proton 0.22.0. Apache Qpid Proton is a messaging library for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org). It can be used in a wide range of messaging applications including brokers, clients, routers, bridges, proxies, and more. The release is available now from our website: http://qpid.apache.org/download.html Release notes can be found at: http://qpid.apache.org/releases/qpid-proton-0.22.0/release-notes.html Thanks to all involved, Robbie