#VU76481 Missing Authentication for Critical Function in Apache Hive
Vulnerability identifier: #VU76481
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-306
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Hive
Server applications /
Database software
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to CREATE() and DROP() function operations does not check for necessary authorization of involved entities in the query. A remote unauthenticated attacker can manipulate an existing UDF to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Hive: 3.1.0 - 3.1.2
External links
http://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
