#VU11626 XXE attack in Apache Hive - CVE-2018-1284

Cybersecurity Help s.r.o.

Published: 2018-04-10 | Updated: 2018-04-10

Vulnerability identifier: #VU11626

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1284

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Hive
Server applications / Database software

Vendor: Apache Foundation

Description

The vulnerability allows a remote unauthenticated attacker to conduct XXE attack on the target system.

The weakness exists due to improper processing of XML input by multiple xpath UDFs when the affected software is configured to run HiveServer2 when the hive.server2.enable.doAs parameter is set to false. A remote attacker can submit customized XML input and gain access to potentially sensitive file information.

Mitigation
Update to version 2.3.3.

Vulnerable software versions

Apache Hive: 0.6.0 - 2.3.2

External links
https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4@%3Cdev...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Hive