[SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files

[SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files

Xpath, The, Hive, Apache, Udf, Use, Java, Doas, Enable, Udfs, Branch, Org, Users, Udfxpathutil, Xml, Are, User, False, West, Repos, Https, Head

CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to passcarefully crafted XML to access arbitrary filesSeverity:


CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass
carefully crafted XML to access arbitrary files
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: This vulnerability affects all versions from 0.6.0
Description: Malicious user might use any xpath UDFs
(xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short)
to expose the content of a file on the machine running HiveServer2
owned by HiveServer2 user (usually hive) if
hive.server2.enable.doAs=false.
Mitigation: Users who use xpath UDFs in HiveServer2 and
hive.server2.enable.doAs=false are recommended to upgrade to 2.3.3, or
update UDFXPathUtil.java to the head of branch-2.3 and rebuild
hive-exec.jar: https://git1-us-west.apache.org/repos/asf?p=hive.git;a=blob;f=ql/src/java/org/apache/hadoop/hive/ql/udf/xml/UDFXPathUtil.java;hb=refs/heads/branch-2.3.
If these functions are not being used at present, you can also
disable its use by adding them to the value of the config
hive.server2.builtin.udf.blacklist.

Zdroj: Apache

2018-04-05 00:06:09 3740 1013Facebook | Twitter | Google+ | LinkedIn
Web PHP developer Milan Jankovec

<Milan Jankovec> Full Stack Web Developer

Vytváram webové stránky a aplikácie na mieru. Čistý a validný HTML5 kód na každej platforme, moderné animované CSS3 štýly a neuveriteľné JavaScript kúzla. Bezpečný a rýchly PHP kód bez obmedzení s geniálnou architektúrou databáz.

Najčítanejšie články

What's New in MySQL 5.6 Release Candidate

The MySQL 5.6 Release Candidate is an aggregation of the previous MySQL 5.6 Development Milestone Releases (DMR) and provides a true functio... čítať viac

MySQL 5.6: Improvements in Thread Pool

MySQL Thread Pool has now been updated for the MySQL 5.6 version. Obviously, with the much higher concurrency of the MySQL Server in 5.6 its... čítať viac

DBA and Developer Guide to MySQL 5.6

MySQL is the most trusted and depended-on open source database platform in use today. As such, 9 out of the top 10 most popular and highly-t... čítať viac

MySQL Applier for Hadoop

To support the growing emphasis on real-time operations, MySQL is releasing a new MySQL Applier for Hadoop to enable the replication of even... čítať viac

MySQL Cluster 7.3 GA: Increasing Developer Flexibility and Simplicity

The MySQL team at Oracle are excited to announce the immediate availability of the MySQL Cluster 7.3 Development Milestone Release GA releas... čítať viac

MySQL Cluster Auto-Installer: Video Tutorial

Learn how easy it is to deploy a MySQL Cluster database that has been configured to best meet your applications needs within your environmen... čítať viac

MySQL Replication Utilities: Video Tutorial

Learn how to use MySQL 5.6 and the MySQL Utilities to setup, monitor and manage your MySQL replication topology. See how a single command ca... čítať viac

MySQL 5.6 Replication - Enabling the Next Generation of Web & Cloud Services

The new MySQL 5.6.5 Development Milestone Release (DMR) introduces a much anticipated feature - Global Transaction Identifiers (GTIDs) for M... čítať viac

Dnešný výber

Paypal for J2Store (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Paypal for J2Store (Joomla). The plugin adds Paypal Payment gateway to the... čítať viac

Apache™ PDFBox™ named an Open Source Partner Organization of the PDF Association

this announcement is available online at http://s.apache.org/Wsf Liaison helps enterprise users benefit from enhanced PDF technology and ser... čítať viac

Apache Jackrabbit Oak 1.9.2 released

The Apache Jackrabbit community is pleased to announce the release ofApache Jackrabbit Oak 1.9.2. The release is available for download at: ... čítať viac

Apache Tomcat 8.5.23 available

The Apache Tomcat team announces the immediate availability of ApacheTomcat 8.5.23.Tomcat 8.x users should normally be u... čítať viac

Img2Figure (Joomla)

Joomla extension Img2Figure (Joomla). Img2Figure plug-in wraps the figure element around an image element. Easy to use and easy to configure... čítať viac

PDF the webpage (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom PDF the webpage (Joomla). PDF the webpage is a module that allows you to c... čítať viac

Apache Turbine 4.0-M2 released

The Apache Turbine team is pleased to announce the turbine-4.0-M2milestone release!Apache Turbine is a servlet based fra... čítať viac

User Switcher (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom User Switcher (Joomla). User switcher front-end Joomla! module, easily to ... čítať viac