SB2018110910 - Security restrictions bypass vulnerabilities in Apache Hive

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018110910

SB2018110910 - Security restrictions bypass vulnerabilities in Apache Hive

Published: November 9, 2018

Security Bulletin ID SB2018110910
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Security restrictions bypass (CVE-ID: CVE-2018-1314)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper security restrictions when the EXPLAIN operation is used. A remote authenticated attacker can use the EXPLAIN operation in a query, bypass security restrictions, access or modify any file and conduct further attacks.


2) Security restrictions bypass (CVE-ID: CVE-2018-11777)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper security restrictions on local resources on HiveServer2 servers. A remote authenticated attacker can bypass security restrictions, access or modify any file if the Ranger, Sentry or SQL Standard authorizers are not in use and conduct further attacks.


Remediation

Install update from vendor's website.

References