A vulnerability in multiple xpath user-defined functions (UDFs) used by Apache Hive could allow an unauthenticated, remote attacker to access sensitive information on a targeted system.
The vulnerability is due to improper processing of XML input by multiple xpath UDFs when the affected software is configured to run HiveServer2 when the hive.server2.enable.doAs parameter is set to false. An attacker could exploit this vulnerability by submitting customized XML input to a targeted system. An exploit could allow the attacker to access sensitive file information on the system.
The Apache Software Foundation has confirmed the vulnerability and released software updates.
CVE Number – CVE-2018-1284
To exploit this vulnerability, an attacker must send customized XML input to the targeted system, which may require access to trusted, internal networks. This access limitation reduces the likelihood of a successful exploit.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.
The Apache Software Foundation has released a security announcement at the following link: CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files.
The Apache Software Foundation has released software updates at the following link: Hive 2.3.3