Details
-
Type: Backport
-
Status: Open
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: CDH 5.4.0, CDH 5.4.1, CDH 5.4.2, CDH5.4.0, CDH 5.4.3, CDH 5.4.4, CDH 5.4.5, CDH 5.4.7, CDH 5.5.0, CDH 5.4.8, CDH5 5.6.0
-
Fix Version/s: None
-
Component/s: Hive
-
Labels:
-
Environment:All
Description
A security vulnerability in Hive related to SQL Authorization controls was reported as CVE-2015-7521 which I found out about at the following links:
- http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB@minotaur.apache.org%3E
- http://seclists.org/bugtraq/2016/Jan/157
- https://access.redhat.com/security/cve/cve-2015-7521
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7521 http://seclists.org/bugtraq/2016/Jan/157
The Hive project created a workaround for unpatched Hive distributions, which is used as a "plugin" by configuring the contained class as an authorization hook. The source and a pre-compiled jar of this workaround can be downloaded from here: http://apache.org/dist/hive/hive-parent-auth-hook/
The Apache JIRA issue for this bug is here: https://issues.apache.org/jira/browse/HIVE-12875
A working patch is attached to that JIRA issue.
The git commit of the fix resolving the bug can be seen here: https://git-wip-us.apache.org/repos/asf?p=hive.git;a=commit;h=98f933f269e6b528ef84912b3d701ca3272ec04b