CVE-2015-1772: Apache Hive Authentication vulnerability in HiveServer2
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 1.2-2.2; fixed in HDP 2.1.15+ and 2.2.6+.
Users Affected: Users who use LDAP authentication mode in HiveServer2 and also have LDAP configured to allow unauthenticated (anonymous) binds.
Impact: See BUG-41739 and HIVE-9934. LDAP services are sometimes configured to allow simple unauthenticated binds. When HiveServer2 is configured to use LDAP authentication mode (hive.server2.authentication configuration parameter is set to LDAP), with such LDAP configurations, it can allow users without proper credentials to get authenticated. This is more easily reproducible when Kerberos authentication is also enabled in the Apache Hadoop cluster.
Recommended Action: This vulnerability can be addressed in any one of the following ways:
Upgrade to HDP 2.1 version newer than 2.1.15.0, or HDP 2.2 version newer than 2.2.6.0.
Configure LDAP service to disallow unauthenticated binds. If the service allows anonymous binds, not having Hive authorization checks enabled can also expose this vulnerability.
Update the Hive installation to use an authenticator with the fix. HiveServer2 LDAP authenticator is packaged in ldap-fix.tar.gz, which is available at http://public-repo-1.hortonworks.com/security/ldap-fix.tar.gz.
Please use the instructions in the README.txt for install and configuration instructions. Once there is a full HDP patch release available, this notice will be replaced with instructions for obtaining the new release.
