Common Vulnerabilities and Exposures
CVE-2016-0735: In some cases, presence of an exclude policy at a level can give the user access at its parent level.
Severity: Critical
Vendor: Hortonworks
Versions Affected: All HDP 2.3.0+.
Users Affected: All users that use Ranger to authorize HBase, Hive, and Knox.
Impact: In some cases, presence of an exclude policy at a level can give the user access at its parent level. For example, if a hive policy excludes access for a user to a particular column, then such a user would be able to alter the name of that table. Only a user who has access at the table level should be able to do so. Due to this bug however, the user is able to do the operation which is caused by presence of an exclude policy at the column-level for that table. Recommended Action: Upgrade to HDP 2.4.0.0+ or contact Hortonworks support team.
Recommended Action: Upgrade to 2.3.4.7+ or HDP 2.4.0+.
CVE-2015-7521: Apache Hive authorization bug disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Hive 1.0.0 - 1.0.1, Apache Hive 1.1.0 - 1.1.1, and Apache Hive 1.2.0 - 1.2.1
Description: Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the authorization framework, which defines authorization entities only from the table level upwards. This issue is known to affect Hive clusters protected by both Ranger as well as SqlStdHiveAuthorization.
Mitigation: For Hive 1.0, 1.1 and 1.2, a separate jar is being made available, which users can put in their ${HIVE_HOME}/lib/, and this provides a hook for administrators to add to their hive-site.xml, by setting hive.semantic.analyzer.hook=org.apache.hadoop.hive.ql.parse.ParentTableAuthorizationHook . This parameter is a comma-separated-list and this hook can be appended to an existing list if one already exists in the setup. You will then want to make sure that you protect the hive.semantic.analyzer.hook parameter from being changed at runtime by adding it to hive.conf.restricted.list. This jar and associated source tarball are available for download over at : https://hive.apache.org/downloads.html along with their gpg-signed .asc signatures, as well as the md5sums for verification in the hive-parent-auth-hook/ directory. This issue has already been patched in all Hive branches that are affected, and any future release will not need these mitigation steps.
Hortonworks Bug ID: BUG-50827
Recommended Action: Upgrade to 2.3.4.7.x+ or 2.4.0.x+.