SB2018041006 - Multiple vulnerabilities in Apache Hive

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018041006

SB2018041006 - Multiple vulnerabilities in Apache Hive

Published: April 10, 2018

Security Bulletin ID SB2018041006
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) XXE attack (CVE-ID: CVE-2018-1284)

The vulnerability allows a remote unauthenticated attacker to conduct XXE attack on the target system.

The weakness exists due to improper processing of XML input by multiple xpath UDFs when the affected software is configured to run HiveServer2 when the hive.server2.enable.doAs parameter is set to false. A remote attacker can submit customized XML input and gain access to potentially sensitive file information.


2) SQL injection (CVE-ID: CVE-2018-1282)

The vulnerability allows a remote attacker to bypass security restriction and execute arbitrary SQL commands in web application database.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script, bypass the argument escaping and cleanup functionality that the JDBC driver performs in the PreparedStatement implementation and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.


Remediation

Install update from vendor's website.

References