Apache Hive Java Database Connectivity Driver Bypass Vulnerability [CVE-2018-1282]

A vulnerability in the Java Database Connectivity (JDBC) driver used by Apache Hive could allow an unauthenticated, remote attacker to bypass security restrictions and conduct an SQL injection attack on a targeted system.

The vulnerability is due to insufficient sanitization of input parameters by the affected software. An attacker could exploit this vulnerability by submitting malicious arguments to the targeted system. A successful exploit could allow the attacker to bypass the argument escaping and cleanup functionality that the JDBC driver performs in the PreparedStatement implementation, which the attacker could use to conduct an SQL injection attack on the system.

The Apache Software Foundation has confirmed the vulnerability and released software updates.

CVE number – CVE-2018-1282

Analysis
  • To exploit this vulnerability, an attacker must send malicious arguments to the targeted system, which may require access to trusted, internal networks. This access limitation reduces the likelihood of a successful exploit.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    For additional information about SQL injection attacks and defenses, see Understanding SQL Injection.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software
  • The Apache Software Foundation has released software updates at the following link: Hive 2.3.3





Leave a Reply