Fixed Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures (CVE) that are addressed in this release.
CVE-2018-1331
Component: Storm
Summary: An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Severity: Moderate
Vendor: Hortonworks
Versions Affected: HDP 3.0.0, HDP 3.0.1, HDP 2.6.x and HDF 3.2 or earlier
Users Affected: Users with Storm deployed in a secure cluster.
Impact: See STORM-3026. An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Recommended Action: Upgrade to HDP 3.1 or HDF 3.3. After upgrading, the following configs needs to be set to enforce these ACL checks.storm.nimbus.zookeeper.acls.check: truestorm.nimbus.zookeeper.acls.fixup: true.
CVE-2018-1332
Component: Storm
Summary: In a secure Storm cluster an attacker could impersonate another user when communicating with some Storm Daemons.
Severity: Moderate
Vendor: Hortonworks
Versions Affected: HDP 3.0.0, HDP 2.6.x, HDF 3.2 and earlier
Users Affected: Users with Storm deployed in a secure cluster.
Impact: See STORM-3027. The affected Storm versions expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
Recommended Action: Upgrade to HDP 3.1.0 or HDF 3.3.
CVE-2018-11777
Component: Hive/Hive2
Summary: Local resources on HiveServer2 machines are not properly protected against malicious user if Ranger or SQL Standard Authorizer is not in use.
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1
Users Affected: This affects only configurations of HDP where Ranger or SQL Standard Authorization is not enabled.
Impact: Local resource on HiveServer2 machine will be read/written by arbitrary Hive user if Ranger or SQL Standard Authorization is not in use.
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback. FallbackHiveAuthorizerFactory</value>
</property>
CVE-2018-1314
Component: Hive/Hive2
Summary: Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1
Impact: Hive metadata and statistics is not secure against unauthorized Hive user.
- 3.0.1.3 (If current version is HDP 3.0.x)
- 2.6.5.54 (If current version is HDP HDP-2.6.5.0)
- 2.6.5.1003 (If current version is HDP 2.6.5.100* versions released for Data Lifecycle Manager support)
CVE-2018-8008
Component: Storm
Summary: Apache Storm arbitrary file write vulnerability.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: HDP 3.0.0, HDP 2.6.5 and earlier
Impact: Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Recommended Action: Upgrade to HDP 3.0.1 or HDP 3.1.0.