[ANNOUNCE] Apache Hive 2.3.4 Released
The Apache Hive team is proud to announce the release of Apache Hive version 2.3.4. The Apache Hive (TM) data warehouse software facilitates querying and managing large datasets residing in distributed storage. Built on top of Apache Hadoop (TM), it provides, among others: * Tools to enable easy data extract/transform/load (ETL) * A mechanism to impose structure on a variety of data formats * Access to files stored either directly in Apache HDFS (TM) or in other data storage systems such as Apache HBase (TM) * Query execution via Apache Hadoop MapReduce, Apache Tez and Apache Spark frameworks. For Hive release details and downloads, please visit: https://hive.apache.org/downloads.html Hive 2.3.4 Release Notes are available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12344319&styleName=Text&projectId=12310843 We would like to thank the many contributors who made this release possible. Regards, The Apache Hive Team
[SECURITY] CVE-2018-11777: Blocking local resource access in HiveServer2
CVE-2018-11777: Blocking local resource access in HiveServer2 Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive, including 2.3.3, 3.1.0 and earlier Description: Local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. Mitigation: It is recommended to upgrade to 2.3.4 or 3.1.1 or later if HiveServer2 is used, and ranger, sentry or sql standard authorizer is not in use. Admin needs to specify the following entries in hiveserver2-site.xml: hive.security.authorization.enabled true hive.security.authorization.manager org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory FallbackHiveAuthorizerFactory will do the following to mitigate above mentioned threat: 1. Disallow local file location in sql statements except for admin 2. Allow "set" only selected whitelist parameters 3. Disallow dfs commands except for admin 4. Disallow "ADD JAR" statement 5. Disallow "COMPILE" statement 6. Disallow "TRANSFORM" statement Credit: This issue was discovered by Mithun Radhakrishnan of Oath Inc
[SECURITY] CVE-2018-1314: Hive explain query not being authorized
CVE-2018-1314: Hive explain query not being authorized Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive, including 2.3.3, 3.1.0 and earlier Description: Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics. Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later
[ANNOUNCE] Apache Hive 3.1.1 Released
The Apache Hive team is proud to announce the release of Apache Hive version 3.1.1. The Apache Hive (TM) data warehouse software facilitates querying and managing large datasets residing in distributed storage. Built on top of Apache Hadoop (TM), it provides, among others: * Tools to enable easy data extract/transform/load (ETL) * A mechanism to impose structure on a variety of data formats * Access to files stored either directly in Apache HDFS (TM) or in other data storage systems such as Apache HBase (TM) * Query execution via Apache Hadoop MapReduce, Apache Tez and Apache Spark frameworks. For Hive release details and downloads, please visit: https://hive.apache.org/downloads.html Hive 3.1.1 Release Notes are available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12344240&styleName=Text&projectId=12310843 We would like to thank the many contributors who made this release possible. Regards, The Apache Hive Team
[SECURITY] CVE-2018-1315 'COPY FROM FTP' statement in HPL/SQL can write to arbitrary location if the FTP server is compromised
CVE-2018-1315: 'COPY FROM FTP' statement in HPL/SQL can write to arbitrary location if the FTP server is compromised Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Hive 2.1.0 to 2.3.2 Description: When 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user as hplsql is a separate command line script and needs to be invoked differently. Mitigation: User who use HPL/SQL with Hive 2.1.0 through 2.3.2 should upgrade to 2.3.3 which removes support for "COPY FROM FTP". Alternatively, the usage of HPL/SQL can be disabled through other means. Credit: This issue was discovered by Danny Grander of Snyk
[SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files
CVE-2018-1284: Hive UDF series UDFXPath allow users to pass carefully crafted XML to access arbitrary files Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions from 0.6.0 Description: Malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. Mitigation: Users who use xpath UDFs in HiveServer2 and hive.server2.enable.doAs=false are recommended to upgrade to 2.3.3, or update UDFXPathUtil.java to the head of branch-2.3 and rebuild hive-exec.jar: https://git1-us-west.apache.org/repos/asf?p=hive.git;a=blob;f=ql/src/java/org/apache/hadoop/hive/ql/udf/xml/UDFXPathUtil.java;hb=refs/heads/branch-2.3. If these functions are not being used at present, you can also disable its use by adding them to the value of the config hive.server2.builtin.udf.blacklist.
[SECURITY] CVE-2018-1282 JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned
CVE-2018-1282: JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned Severity: Important Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Hive JDBC driver from 0.7.1 Description: This vulnerability in Hive allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. Mitigation: It is recommended to upgrade prior version of Hive JDBC driver to 2.3.3. Note Hive JDBC driver is not backward compatible with HiveServer2, which means newer version of Hive JDBC driver may not talk to older version of HiveServer2. In particular, Hive JDBC driver 2.3.3 won't talk to HiveServer2 2.1.1 or prior. If user is using Hive code 2.1.1 or below they might need to upgrade all the Hive instances to 2.3.3. Alternative to the upgrade, is to take the follow two actions in your Hive JDBC client code/application when dealing with user provided input in PreparedStatement: 1. Avoid passing user input PreparedStatement.setBinaryStream 2. Sanitize the user input for PreparedStatement.setString, by replacing all occurrences of \' to ' Credit: This issue was discovered by Bear Giles of SnapLogic