[SECURITY] CVE-2018-11777: Blocking local resource access in HiveServer2

[Daniel Dai]

CVE-2018-11777: Blocking local resource access in HiveServer2

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: This vulnerability affects all versions of Hive,
including 2.3.3, 3.1.0 and earlier

Description: Local resources on HiveServer2 machines are not properly
protected against malicious user if ranger, sentry or sql standard
authorizer is not in use.

Mitigation: It is recommended to upgrade to 2.3.4 or 3.1.1 or later if
HiveServer2 is used, and ranger, sentry or sql standard authorizer
is not in use. Admin needs to specify the following entries in
hiveserver2-site.xml:


  hive.security.authorization.enabled
  true


  hive.security.authorization.manager
  
org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory


FallbackHiveAuthorizerFactory will do the following to mitigate above
mentioned threat:
1. Disallow local file location in sql statements except for admin
2. Allow "set" only selected whitelist parameters
3. Disallow dfs commands except for admin
4. Disallow "ADD JAR" statement
5. Disallow "COMPILE" statement
6. Disallow "TRANSFORM" statement

Credit: This issue was discovered by Mithun Radhakrishnan of Oath Inc

[SECURITY] CVE-2018-1314: Hive explain query not being authorized

[Daniel Dai]

CVE-2018-1314: Hive explain query not being authorized

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: This vulnerability affects all versions of Hive,
including 2.3.3, 3.1.0 and earlier

Description: Hive "EXPLAIN" operation does not check for necessary
authorization of involved entities in a query. An unauthorized user
can do "EXPLAIN" on arbitrary table or view and expose table metadata
and statistics.

Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later

[ANNOUNCE] Apache Hive 2.3.4 Released

[Daniel Dai]

The Apache Hive team is proud to announce the release of Apache Hive
version 2.3.4.

The Apache Hive (TM) data warehouse software facilitates querying and
managing large datasets residing in distributed storage. Built on top
of Apache Hadoop (TM), it provides, among others:

* Tools to enable easy data extract/transform/load (ETL)

* A mechanism to impose structure on a variety of data formats

* Access to files stored either directly in Apache HDFS (TM) or in other
  data storage systems such as Apache HBase (TM)

* Query execution via Apache Hadoop MapReduce, Apache Tez and Apache Spark
frameworks.

For Hive release details and downloads, please visit:
https://hive.apache.org/downloads.html

Hive 2.3.4 Release Notes are available here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12344319=Text=12310843

We would like to thank the many contributors who made this release
possible.

Regards,

The Apache Hive Team

[ANNOUNCE] Apache Hive 3.1.1 Released

[Daniel Dai]

The Apache Hive team is proud to announce the release of Apache Hive
version 3.1.1.

The Apache Hive (TM) data warehouse software facilitates querying and
managing large datasets residing in distributed storage. Built on top
of Apache Hadoop (TM), it provides, among others:

* Tools to enable easy data extract/transform/load (ETL)

* A mechanism to impose structure on a variety of data formats

* Access to files stored either directly in Apache HDFS (TM) or in other
  data storage systems such as Apache HBase (TM)

* Query execution via Apache Hadoop MapReduce, Apache Tez and Apache Spark
frameworks.

For Hive release details and downloads, please visit:
https://hive.apache.org/downloads.html

Hive 3.1.1 Release Notes are available here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12344240=Text=12310843

We would like to thank the many contributors who made this release
possible.

Regards,

The Apache Hive Team

Re: Incorrect Release Notes for Hive-2.3.3

[Daniel Dai]

Yes, I cleared fixed version from the Jiras. It should be fixed.

Thanks,
Daniel

From: Oleksiy S 
Reply-To: "user@hive.apache.org" 
Date: Friday, October 5, 2018 at 5:02 AM
To: "d...@hive.apache.org" , "user@hive.apache.org" 

Subject: Re: Incorrect Release Notes for Hive-2.3.3

Guys any updates?

On Thu, Oct 4, 2018 at 11:15 AM Oleksiy S 
mailto:osayankin.superu...@gmail.com>> wrote:
Current release notes for Hive-2.3.3 are: 
RNs

Release Notes - Hive - Version 2.3.3

** Bug
* [HIVE-16939] - metastore error: 'export: -Dproc_metastore : not a valid 
identifier'
* [HIVE-18767] - Some alterPartitions invocations throw 
'NumberFormatException: null'
* [HIVE-18788] - Clean up inputs in JDBC PreparedStatement
* [HIVE-18815] - Remove unused feature in HPL/SQL
* [HIVE-18879] - Disallow embedded element in UDFXPathUtil needs to work if 
xercesImpl.jar in classpath
* [HIVE-18885] - DbNotificationListener has a deadlock between Java and DB 
locks (2.x line)
* [HIVE-20304] - When hive.optimize.skewjoin and hive.auto.convert.join are 
both set to true, and the execution engine is mr, same stage may launch twice 
due to the wrong generated plan
* [HIVE-20441] - NPE in ExprNodeGenericFuncDesc  when 
hive.allow.udf.load.on.demand is set to true

** Improvement
* [HIVE-19900] - HiveCLI HoS Performs Invalid Impersonation If User Name 
Truncated
* [HIVE-20284] - In strict mode, if constant propagation is enable, the 
partition filter may be folded before partition pruner lead to error "No 
partition predicate for Alias"


See table for short summary.
Issue

Comment

HIVE-18767

Issue is not in Hive-2.3.3

HIVE-20304

Issue is unresolved in Apache Hive JIRA

HIVE-20441

Issue is unresolved in Apache Hive JIRA

HIVE-19900

Resolved: Workaround. No commit to see

HIVE-20284

Issue is unresolved in Apache Hive JIRA


Please remove incorrect JIRAs from RNs.

--
Oleksiy


--
Oleksiy

[SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files

[Daniel Dai]

CVE-2018-1284: Hive UDF series UDFXPath allow users to pass
carefully crafted XML to access arbitrary files

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: This vulnerability affects all versions from 0.6.0

Description: Malicious user might use any xpath UDFs
(xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short)
to expose the content of a file on the machine running HiveServer2
owned by HiveServer2 user (usually hive) if
hive.server2.enable.doAs=false.

Mitigation: Users who use xpath UDFs in HiveServer2 and
hive.server2.enable.doAs=false are recommended to upgrade to 2.3.3, or
update UDFXPathUtil.java to the head of branch-2.3 and rebuild
hive-exec.jar: 
https://git1-us-west.apache.org/repos/asf?p=hive.git;a=blob;f=ql/src/java/org/apache/hadoop/hive/ql/udf/xml/UDFXPathUtil.java;hb=refs/heads/branch-2.3.
If these functions are not being used at present, you can also
disable its use by adding them to the value of the config
hive.server2.builtin.udf.blacklist.

[SECURITY] CVE-2018-1282 JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned

[Daniel Dai]

CVE-2018-1282: JDBC driver is susceptible to SQL injection attack if
the input parameters are not properly cleaned

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: This vulnerability affects all versions of Hive
JDBC driver from 0.7.1

Description: This vulnerability in Hive allows carefully crafted arguments to be
used to bypass the argument escaping/cleanup that JDBC driver does in
PreparedStatement implementation.

Mitigation: It is recommended to upgrade prior version of Hive JDBC
driver to 2.3.3.
Note Hive JDBC driver is not backward compatible with HiveServer2,
which means newer version of Hive JDBC driver may not talk to older version
of HiveServer2. In particular, Hive JDBC driver 2.3.3 won't talk
to HiveServer2 2.1.1 or prior. If user is using Hive code 2.1.1 or below
they might need to upgrade all the Hive instances to 2.3.3.


Alternative to the upgrade, is to take the follow two actions in your
Hive JDBC client code/application when dealing with user provided
input in PreparedStatement:
1. Avoid passing user input PreparedStatement.setBinaryStream
2. Sanitize the user input for PreparedStatement.setString, by
replacing all occurrences of \' to '

Credit: This issue was discovered by Bear Giles of SnapLogic

[SECURITY] CVE-2018-1315 'COPY FROM FTP' statement in HPL/SQL can write to arbitrary location if the FTP server is compromised

[Daniel Dai]

CVE-2018-1315: 'COPY FROM FTP' statement in HPL/SQL can write to
arbitrary location if the FTP server is compromised

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Hive 2.1.0 to 2.3.2

Description: When 'COPY FROM FTP' statement is run using HPL/SQL extension to
Hive, a compromised/malicious FTP server can cause the file to be
written to an arbitrary location on the cluster where the command is
run from. This is because FTP client code in HPL/SQL does not verify
the destination
location of the downloaded file. This does not affect hive
cli user and hiveserver2 user as hplsql is a separate command line
script and needs to be invoked differently.

Mitigation: User who use HPL/SQL with Hive 2.1.0 through 2.3.2 should upgrade to
2.3.3 which removes support for "COPY FROM FTP". Alternatively, the
usage of HPL/SQL can be disabled through
other means.

Credit: This issue was discovered by Danny Grander of Snyk

[ANNOUNCE] Apache Hive 2.3.3 Released

[Daniel Dai]

The Apache Hive team is proud to announce the release of Apache Hive
version 2.3.3.

The Apache Hive (TM) data warehouse software facilitates querying and
managing large datasets residing in distributed storage. Built on top
of Apache Hadoop (TM), it provides, among others:

* Tools to enable easy data extract/transform/load (ETL)

* A mechanism to impose structure on a variety of data formats

* Access to files stored either directly in Apache HDFS (TM) or in other
  data storage systems such as Apache HBase (TM)

* Query execution via Apache Hadoop MapReduce, Apache Tez and Apache Spark
frameworks.

For Hive release details and downloads, please visit:
https://hive.apache.org/downloads.html

Hive 2.3.3 Release Notes are available here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12342162=Text=12310843

We would like to thank the many contributors who made this release
possible.

Regards,

The Apache Hive Team

Re: [ANNOUNCE] New Hive PMC Chair - Ashutosh Chauhan

[Daniel Dai]

Congratulations!

On 9/16/15, 2:20 PM, "Szehon Ho"  wrote:

>Congrats to Ashutosh and thanks Carl for the years of service!
>
>On Wed, Sep 16, 2015 at 2:00 PM, Eugene Koifman 
>wrote:
>
>> Congrats!
>>
>> From: Pengcheng Xiong 
>> Reply-To: "user@hive.apache.org" 
>> Date: Wednesday, September 16, 2015 at 1:23 PM
>> To: "user@hive.apache.org" 
>>
>> Cc: "d...@hive.apache.org" , Ashutosh Chauhan <
>> hashut...@apache.org>
>> Subject: Re: [ANNOUNCE] New Hive PMC Chair - Ashutosh Chauhan
>>
>> Congratulations Ashutosh!
>>
>> On Wed, Sep 16, 2015 at 1:17 PM, John Pullokkaran <
>> jpullokka...@hortonworks.com> wrote:
>>
>>> Congrats Ashutosh!
>>>
>>> From: Vaibhav Gumashta 
>>> Reply-To: "user@hive.apache.org" 
>>> Date: Wednesday, September 16, 2015 at 1:01 PM
>>> To: "user@hive.apache.org" ,
>>>"d...@hive.apache.org"
>>> 
>>> Cc: Ashutosh Chauhan 
>>> Subject: Re: [ANNOUNCE] New Hive PMC Chair - Ashutosh Chauhan
>>>
>>> Congrats Ashutosh!
>>>
>>> ‹Vaibhav
>>>
>>> From: Prasanth Jayachandran 
>>> Reply-To: "user@hive.apache.org" 
>>> Date: Wednesday, September 16, 2015 at 12:50 PM
>>> To: "d...@hive.apache.org" ,
>>>"user@hive.apache.org" <
>>> user@hive.apache.org>
>>> Cc: "d...@hive.apache.org" , Ashutosh Chauhan <
>>> hashut...@apache.org>
>>> Subject: Re: [ANNOUNCE] New Hive PMC Chair - Ashutosh Chauhan
>>>
>>> Congratulations Ashutosh!
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Sep 16, 2015 at 12:48 PM -0700, "Xuefu Zhang" <
>>> xzh...@cloudera.com> wrote:
>>>
>>> Congratulations, Ashutosh!. Well-deserved.
>>>
>>> Thanks to Carl also for the hard work in the past few years!
>>>
>>> --Xuefu
>>>
>>> On Wed, Sep 16, 2015 at 12:39 PM, Carl Steinbach 
>>>wrote:
>>>
>>> > I am very happy to announce that Ashutosh Chauhan is taking over as
>>>the
>>> > new VP of the Apache Hive project. Ashutosh has been a longtime
>>> contributor
>>> > to Hive and has played a pivotal role in many of the major advances
>>>that
>>> > have been made over the past couple of years. Please join me in
>>> > congratulating Ashutosh on his new role!
>>> >
>>>
>>
>>

Re: [ANNOUNCE] New Hive Committer - Thejas Nair

[Daniel Dai]

Congratulation!


On Tue, Aug 20, 2013 at 4:56 PM, Shreepadma Venugopalan 
shreepa...@cloudera.com wrote:

 Congrats Tejas!


 On Tue, Aug 20, 2013 at 9:32 AM, Eugene Koifman ekoif...@hortonworks.com
 wrote:

  Congrats Thejas!
 
 
  On Tue, Aug 20, 2013 at 3:31 AM, Carl Steinbach c...@apache.org wrote:
 
  The Apache Hive PMC has voted to make Thejas Nair a committer on the
  Apache
  Hive project.
 
  Please join me in congratulating Thejas!
 
 
 
  CONFIDENTIALITY NOTICE
  NOTICE: This message is intended for the use of the individual or entity
  to which it is addressed and may contain information that is
 confidential,
  privileged and exempt from disclosure under applicable law. If the reader
  of this message is not the intended recipient, you are hereby notified
 that
  any printing, copying, dissemination, distribution, disclosure or
  forwarding of this communication is strictly prohibited. If you have
  received this communication in error, please contact the sender
 immediately
  and delete it from your system. Thank You.
 


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.