Common Vulnerabilities and Exposures
CVE-2015-7521
| Summary: Apache Hive authorization bug disclosure |
| Severity: Important |
| Vendor: The Apache Software Foundation |
| Versions Affected: HDP versions 2.1.x, 2.2.x and 2.3.x versions before HDP 2.3.6 |
| Impact: Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the authorization framework, which defines authorization entities only from the table level upwards. This issue is known to affect Hive clusters protected by both Ranger as well as SqlStdHiveAuthorization. |
| Migration: For Hive 0.13.x, 0.14.x, 1.0, 1.1 and 1.2, a separate jar is being made available, which users can put in their ${HIVE_HOME}/lib/, and this provides a hook for administrators to add to their hive-site.xml, by setting hive.semantic.analyzer.hook=org.apache.hadoop.hive.ql.parse.ParentTableAuthorizationHook . This parameter is a comma-separated-list and this hook can be appended to an existing list if one already exists in the setup. You will then want to make sure that you protect the hive.semantic.analyzer.hook parameter from being changed at runtime by adding it to hive.conf.restricted.list. This jar and associated source tarball are available for download over at : https://hive.apache.org/downloads.html along with their gpg-signed .asc signatures, as well as the md5sums for verification in the hive-parent-auth-hook/ directory. This issue has already been patched in all Hive branches that are affected, and any future release will not need these mitigation steps. |
| Hortonworks Bug ID: BUG-50827 |
CVE-2017-3152
| Summary: DOM XSS threat |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas |
| Users affected: All users of Apache Atlas server |
| Impact: Atlas was found vulnerable to a DOM XSS in the edit-tag functionality. |
| Fix detail: Atlas was updated to sanitize the query parameters. |
| Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version. |
CVE-2017-3153
| Summary: Reflected XSS vulnerability |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas |
| Users affected: All users of Apache Atlas server |
| Impact: Atlas was found vulnerable to a Reflected XSS in the search functionality. |
| Fix detail: Atlas was updated to sanitize the query parameters. |
| Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version. |
CVE-2017-3154
| Summary: Stack trace in error response |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas |
| Users affected: All users of Apache Atlas server |
| Impact: Error response from Atlas server included stack trace, exposing excessive information. |
| Fix detail: Atlas was updated to not include stack trace in error responses. |
| Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version. |
CVE-2017-3155
| Summary: XFS - cross frame scripting vulnerability |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas |
| Users affected: All users of Apache Atlas server |
| Impact: Atlas was found vulnerable to a cross frame scripting. |
| Fix detail: Atlas was updated to use appropriate headers to prevent this vulnerability. |
| Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version. |
CVE-2016-8746
| Summary: Apache Ranger path matching issue in policy evaluation |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy admin tool. |
| Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags. |
| Fix detail: Fixed policy evaluation logic |
| Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+). |
CVE-2016-8751
| Summary: Apache Ranger stored cross site scripting issue |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy admin tool. |
| Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies. |
| Fix detail: Added logic to sanitize the user input. |
| Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+). |
CVE-2016-8746
| Summary: Apache Ranger path matching issue in policy evaluation |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy admin tool. |
| Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags. |
| Fix detail: Fixed policy evaluation logic |
| Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+). |
CVE-2016-8751
| Summary: Apache Ranger stored cross site scripting issue |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy admin tool. |
| Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies. |
| Fix detail: Added logic to sanitize the user input. |
| Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+). |