Developer releases new versions and standalone patch

May 22, 2015 12:11 GMT  ·  By

A vulnerability in the HiveServer2 interface for Apache Hive enterprise data warehouse infrastructures can be exploited under certain conditions to allow authentication with improper credentials.

HiveServer2 is designed as a server interface for interaction with remote clients, which permits running queries in Hive and viewing the results. It is built with support for multiple client authentication.

Apache Hive software enables searching through huge datasets that are stored in distributed locations. Initially, it was a subproject of Hadoop data management platform, but it developed into a standalone product.

Configurations with active LDAP authentication mode are affected

The authentication vulnerability, which was assigned the tracking number CVE-2015-1772, affects all versions of Hive from 0.11.0 through 1.0.0, as well as 1.1.0.

It represents a risk only to users who rely on the LDAP (Lightweight Directory Access Protocol) authentication mode in HiveServer2 and the configuration permits simple unauthenticated or anonymous binds. If this is the case, users without proper credentials can become authenticated.

The security advisory for the glitch informed on Thursday that the issue can be reproduced more easily when the Kerberos authentication mode is also turned on in the Apache Hadoop cluster.

Multiple choice to mitigate the risk

Getting rid of the problem can be done in two ways: updating to a new release that includes a patch or disabling unauthenticated binds in the LDAP service.

The advisory warns that, if the second option is selected, authorization checks need to be activated when the service allows anonymous binds, otherwise the vulnerability remains exploitable.

Patching the flaw can be done by upgrading to Apache Hive 1.0.1, 1.1.1 and 1.2.0, or by applying the standalone version (ldap-fix.tar.gz) available for download from the Apache Hive download page.

Credited for uncovering and disclosing the vulnerability is Thomas Rega at CareerBuilder job finding online service. The severity of the flaw is considered important, but there are no technical details available.