Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1380
CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2
25 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Hive
Publisher: The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-1772
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Hive from 0.11.0 to 1.0.0, and
1.1.0 .
Users affected: Users who use LDAP authentication mode in HiveServer2 and
also have LDAP configured to allow simple unauthenticated or anonymous bind.
Description:
LDAP services are sometimes configured to allow simple unauthenticated
binds.
When HiveServer2 is configured to use LDAP authentication mode
(hive.server2.authentication configuration parameter is set to LDAP),
with such LDAP configurations, it can allow users without proper credentials
to get authenticated.
This is more easily reproducible when Kerberos authentication is also
enabled
in the Apache Hadoop cluster.
Mitigation:
There are two options
1. Configure LDAP service to disallow unauthenticated binds. If the service
allows anonymous binds, not having hive authorization checks enabled can
also expose this vulnerability.
2. Update Hive installation to use an Authenticator with the fix. There are
two options here -
a. Users should upgrade to newer versions of Apache Hive with the
fix, which includes 1.0.1, 1.1.1 and 1.2.0 .
b. Users can download the ldap-fix.tar.gz being made available for
download from the Apache Hive downloads page and follow instructions
in the README.txt to use an LDAP authenticator that contains the fix
with your existing Hive release.
Credit:
Thanks to Thomas Rega of CareerBuilder for reporting this issue.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVXmECAAoJEN3RdT/2ztzmBDsP/inSE3VaTc7gLJf03MbjtoBX
bxrnWGpJir7IVe1nrlj2WiD8i4m/TqG5OoHZB2ZCnVOKbjngh6Mq4ldXM4lzGemN
6aDYW6gIdplwhiiKoVeNrTISl38whPlNO9Kp8Y9nabSGFxBcngRIuWOq6KyOADra
PP9QMys7xB325JgrgEjS9Fxrtx8cGQK+cRDm/Fi5RCjQ0Q3VRmSKVzcbg2jDmyR/
38P67SlZm4w37Z8hrBKakTQ2ql2dkmCSjnlIQCB1dln4iLp6VR2S7sizeYSvk4aQ
86BqORYYwXAmWeUfhUBlbBbLmeicu4VTvhKB2wYkD2G0TBIqXk90GVf5mdwDLir0
gk0R+gfv6YF89pmFVFjwerkLozjKs43Vx5NjQz1IxCeXnoUOw5n6gVC1kFgvnL2o
SYIRqa0+nn1ARf9ssodzffnCsm3QGPMtgy3L+iBiWY6vfI+zgWBhOeFcnlNWieqV
epxn5Q5ojjlwAwKQ7irco3uULiBu+f/CIYq2ey4I8a8qNLHQRs9n850E/3MYaV5o
PmHdu2Gmuvj216fyS+5OuROAjFeuPPDq+qzRVOcISXnCfxzFjXL2PWvPc/RyMN1d
g82gMzwczv8EFhag5MdD5FMyqAxz8BKdeOaKk/QGPQG1XvlGqjuDKJYDCfsHI4F/
5mUttG40ky0zn3ONQAPC
=7NKg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVWKaWhLndAQH1ShLAQLQAw/9FZCJ9ixvWdAgsj57L8dCDt0O06iJWFcw
p5RpvAvgqRY/JU8YBowI0ZWDJ6M0zt+iKkUrmiDqFO4v2iasvdoH6EWmJL5OSdjR
6/hVeJizxFjo19HWvaCKrkwg3278KXGZVWjihOzbEgVVfUJLMZN5oES1oYc2VFOD
YWZ7mEtN9XrXqvNcq3XVDw6rMoWRJloz+w4SJoYILrbB4EDss1rY6dRT9ZgmRny+
C+NALOByWdxKijWUxcb58QJn0R+k6ee7bT5AtCRoaddgY97rtfedf4iyyLuUDJpY
hgOoRHf5cBw9jhh5ybWdqb0VXOGGEaei+KYHmsE8yj8VKZwmXhg1c+p7Vd4UcBUo
zkLKDXdk3qZjIxV5GMK2TJ5/Lwn1oB/d0VX7SjpRHKzs9vpsmE77NEETUYFO+59C
si4st0TOtM88DTcTHksHrDlyAh5CySAv96aN5ZsfCEMoQcnYWa/uC4sXLcdQCrZu
5x4kmxh4a4zRHb8qbFTpTW1100f3NBchpzWS6R9V2CZF78zmxQC+icDr8n1XS0N/
3LzKLG88lvZ1KYvp7kLckJ+yKJs3MosfgZC5BQMVosmb9KKNxspfYXvW6YdAdFeV
XOGZiVvQ6WQyVqYZYkDDpiXaGVHqRYxmq5Hy8Hv1YMVwdyy9lv0iqhfITjdATVCj
mXw3Sge55xs=
=zj2h
-----END PGP SIGNATURE-----