[ANNOUNCE] Apache Hive 1.0.1 and 1.1.1 Released

[Chao Sun]

The Apache Hive team is proud to announce the the release of Apache

Hive version
​1.0.1 and 1.1.1.

​These two versions are based on Hive 1.0.0, and Hive 1.1.0, respectively.

​They include a fix for a ​
​
​vulnerability issue about LDAP authentication provider

implementation. For more information, please refer to CVE-2015-1772.


The Apache Hive (TM) data warehouse software facilitates querying and
managing large datasets residing in distributed storage. Built on top
of Apache Hadoop (TM), it provides:

* Tools to enable easy data extract/transform/load (ETL)

* A mechanism to impose structure on a variety of data formats

* Access to files stored either directly in Apache HDFS (TM) or in
other data storage systems such as Apache HBase (TM)

* Query execution via Apache Hadoop MapReduce or Apache Tez frameworks
(and Apache Spark framework in Hive 1.1.1)

For Hive release details and downloads, please
visit:https://hive.apache.org/downloads.html

​Hive 1.0.1
 Release Notes are available
here:https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12329444&styleName=Text&projectId=12310843


​Hive​ 1.1.1 Release Note are available here:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12329557&styleName=Text&projectId=12310843

CVE-2015-1772

[Chao Sun]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Hive from 0.11.0 to 1.0.0, and
1.1.0 .

Users affected: Users who use LDAP authentication mode in HiveServer2 and
also have LDAP configured to allow simple unauthenticated or anonymous bind.

Description:
LDAP services are sometimes configured to allow simple unauthenticated
binds.
When HiveServer2 is configured to use LDAP authentication mode
(hive.server2.authentication configuration parameter is set to LDAP),
with such LDAP configurations, it can allow users without proper credentials
to get authenticated.

This is more easily reproducible when Kerberos authentication is also
enabled
 in the Apache Hadoop cluster.

Mitigation:
There are two options
1. Configure LDAP service to disallow unauthenticated binds. If the service
 allows anonymous binds, not having hive authorization checks enabled can
 also expose this vulnerability.

2. Update Hive installation to use an Authenticator with the fix. There are
 two options here -
   a. Users should upgrade to newer versions of Apache Hive with the
  fix, which includes 1.0.1, 1.1.1 and 1.2.0 .
   b. Users can download the ldap-fix.tar.gz being made available for
  download from the Apache Hive downloads page and follow instructions
  in the README.txt to use an LDAP authenticator that contains the fix
  with your existing Hive release.

Credit:
Thanks to Thomas Rega of CareerBuilder for reporting this issue.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJVXmECAAoJEN3RdT/2ztzmBDsP/inSE3VaTc7gLJf03MbjtoBX
bxrnWGpJir7IVe1nrlj2WiD8i4m/TqG5OoHZB2ZCnVOKbjngh6Mq4ldXM4lzGemN
6aDYW6gIdplwhiiKoVeNrTISl38whPlNO9Kp8Y9nabSGFxBcngRIuWOq6KyOADra
PP9QMys7xB325JgrgEjS9Fxrtx8cGQK+cRDm/Fi5RCjQ0Q3VRmSKVzcbg2jDmyR/
38P67SlZm4w37Z8hrBKakTQ2ql2dkmCSjnlIQCB1dln4iLp6VR2S7sizeYSvk4aQ
86BqORYYwXAmWeUfhUBlbBbLmeicu4VTvhKB2wYkD2G0TBIqXk90GVf5mdwDLir0
gk0R+gfv6YF89pmFVFjwerkLozjKs43Vx5NjQz1IxCeXnoUOw5n6gVC1kFgvnL2o
SYIRqa0+nn1ARf9ssodzffnCsm3QGPMtgy3L+iBiWY6vfI+zgWBhOeFcnlNWieqV
epxn5Q5ojjlwAwKQ7irco3uULiBu+f/CIYq2ey4I8a8qNLHQRs9n850E/3MYaV5o
PmHdu2Gmuvj216fyS+5OuROAjFeuPPDq+qzRVOcISXnCfxzFjXL2PWvPc/RyMN1d
g82gMzwczv8EFhag5MdD5FMyqAxz8BKdeOaKk/QGPQG1XvlGqjuDKJYDCfsHI4F/
5mUttG40ky0zn3ONQAPC
=7NKg
-END PGP SIGNATURE-