[SECURITY] CVE-2018-11777: Blocking local resource access in HiveServer2

[SECURITY] CVE-2018-11777: Blocking local resource access in HiveServer2

Disallow, Apache, Security, Hive, The, Sql, Local, Authorization, Ranger, Use, Following, This, Sentry, Except, File, Location, Statements, Will, Hadoop, Managerorg, Enabledtruehive, Plugin

CVE-2018-11777: Blocking local resource access in HiveServer2Severity: ImportantVendor: The Apache Software FoundationVe


CVE-2018-11777: Blocking local resource access in HiveServer2
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: This vulnerability affects all versions of Hive,
including 2.3.3, 3.1.0 and earlier
Description: Local resources on HiveServer2 machines are not properly
protected against malicious user if ranger, sentry or sql standard
authorizer is not in use.
Mitigation: It is recommended to upgrade to 2.3.4 or 3.1.1 or later if
HiveServer2 is used, and ranger, sentry or sql standard authorizer
is not in use. Admin needs to specify the following entries in
hiveserver2-site.xml:
hive.security.authorization.enabled
true
hive.security.authorization.manager
org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory
FallbackHiveAuthorizerFactory will do the following to mitigate above
mentioned threat:
1. Disallow local file location in sql statements except for admin
2. Allow "set" only selected whitelist parameters
3. Disallow dfs commands except for admin
4. Disallow "ADD JAR" statement
5. Disallow "COMPILE" statement
6. Disallow "TRANSFORM" statement
Credit: This issue was discovered by Mithun Radhakrishnan of Oath Inc

Zdroj: Apache

2018-11-07 22:29:04 1576 442Facebook | Twitter | Google+ | LinkedIn
Web PHP developer Milan Jankovec

<Milan Jankovec> Full Stack Web Developer

Vytváram webové stránky a aplikácie na mieru. Čistý a validný HTML5 kód na každej platforme, moderné animované CSS3 štýly a neuveriteľné JavaScript kúzla. Bezpečný a rýchly PHP kód bez obmedzení s geniálnou architektúrou databáz.

Najčítanejšie články

What's New in MySQL 5.6 Release Candidate

The MySQL 5.6 Release Candidate is an aggregation of the previous MySQL 5.6 Development Milestone Releases (DMR) and provides a true functio... čítať viac

MySQL 5.6: Improvements in Thread Pool

MySQL Thread Pool has now been updated for the MySQL 5.6 version. Obviously, with the much higher concurrency of the MySQL Server in 5.6 its... čítať viac

DBA and Developer Guide to MySQL 5.6

MySQL is the most trusted and depended-on open source database platform in use today. As such, 9 out of the top 10 most popular and highly-t... čítať viac

MySQL Applier for Hadoop

To support the growing emphasis on real-time operations, MySQL is releasing a new MySQL Applier for Hadoop to enable the replication of even... čítať viac

MySQL Cluster 7.3 GA: Increasing Developer Flexibility and Simplicity

The MySQL team at Oracle are excited to announce the immediate availability of the MySQL Cluster 7.3 Development Milestone Release GA releas... čítať viac

MySQL Cluster Auto-Installer: Video Tutorial

Learn how easy it is to deploy a MySQL Cluster database that has been configured to best meet your applications needs within your environmen... čítať viac

MySQL Replication Utilities: Video Tutorial

Learn how to use MySQL 5.6 and the MySQL Utilities to setup, monitor and manage your MySQL replication topology. See how a single command ca... čítať viac

MySQL 5.6 Replication - Enabling the Next Generation of Web & Cloud Services

The new MySQL 5.6.5 Development Milestone Release (DMR) introduces a much anticipated feature - Global Transaction Identifiers (GTIDs) for M... čítať viac

Dnešný výber

Cognitive computing, Ubuntu and POWER8

Last week we attended IBM InterConnect 2016, where we showcased Ubuntu OpenStack, MAAS and Juju on IBM Power Systems. There is a natural syn... čítať viac

Apache ODE 1.3.7 Released

The Apache ODE team is pleased to announce the release of Apache ODE1.3.7. It includes 48 bug fixes and improvements.Apa... čítať viac

Uvoľnená aktualizácia PHP 5.4.11 a PHP 5.3.21!

Vývojový tím oznamuje uvoľnenie aktualizácie PHP 5.4.11 a PHP 5.3.21. V týchto verziách opravili množstvo bezpečnostných chýb samotného jadr... čítať viac

My Runtastic (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom My Runtastic (Joomla). Show your latest Runtastic activities on your site.... čítať viac

Standards for Web Applications on Mobile: current state and roadmap

W3C has published the August 2015 edition of Standards for Web Applications on Mobile, an overview of the various techno... čítať viac

Fancy AJAX Currency Convertor (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Fancy AJAX Currency Convertor (Joomla). Fancy AJAX Currency Convertor is a... čítať viac

Media Kits (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Media Kits (Joomla). Media Kits is the third-party of Media Manager. It co... čítať viac

Circular menu (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Circular menu (Joomla). Circular menu module for joomla 3.x and joomla 2.5... čítať viac