A vulnerability in the Java Database Connectivity (JDBC) driver used by Apache Hive could allow an unauthenticated, remote attacker to bypass security restrictions and conduct an SQL injection attack on a targeted system.
The vulnerability is due to insufficient sanitization of input parameters by the affected software. An attacker could exploit this vulnerability by submitting malicious arguments to the targeted system. A successful exploit could allow the attacker to bypass the argument escaping and cleanup functionality that the JDBC driver performs in the PreparedStatement implementation, which the attacker could use to conduct an SQL injection attack on the system.
The Apache Software Foundation has confirmed the vulnerability and released software updates.
CVE number – CVE-2018-1282
To exploit this vulnerability, an attacker must send malicious arguments to the targeted system, which may require access to trusted, internal networks. This access limitation reduces the likelihood of a successful exploit.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection.
Administrators are advised to monitor affected systems.
The Apache Software Foundation has released a security announcement at the following link: CVE-2018-1282: JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned.
The Apache Software Foundation has released software updates at the following link: Hive 2.3.3
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.