1293837 – (CVE-2015-1772) CVE-2015-1772 Apache Hive: authentication vulnerability in HiveServer2

Bug 1293837 (CVE-2015-1772) - CVE-2015-1772 Apache Hive: authentication vulnerability in HiveServer2

Summary: CVE-2015-1772 Apache Hive: authentication vulnerability in HiveServer2

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-1772
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1293838
Blocks:	1293839
TreeView+	depends on / blocked

Reported:	2015-12-23 09:14 UTC by Martin Prpič
Modified:	2021-02-17 04:35 UTC (History)
CC List:	19 users (show)
Fixed In Version:	Apache Hive 1.0.1, Apache Hive 1.1.1, Apache Hive 1.2.0
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-12 23:53:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-12-23 09:14:26 UTC

The following flaw was reported in Apache Hive:

Users who use LDAP authentication mode in HiveServer2 and also have LDAP configured to allow simple unauthenticated or anonymous bind.

LDAP services are sometimes configured to allow simple unauthenticated binds. When HiveServer2 is configured to use LDAP authentication mode (hive.server2.authentication configuration parameter is set to LDAP), with such LDAP configurations, it can allow users without proper credentials to get authenticated.

External References:

https://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q@mail.gmail.com%3E

Comment 1 Martin Prpič 2015-12-23 09:15:02 UTC

Created hive tracking bugs for this issue:

Affects: fedora-all [bug 1293838]

Note You need to log in before you can comment on or make changes to this bug.