2330533 – (CVE-2022-41137) CVE-2022-41137 hive-metastore: org.apache.hive:hive-metastore: Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore

Bug 2330533 (CVE-2022-41137) - CVE-2022-41137 hive-metastore: org.apache.hive:hive-metastore: Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore

Summary: CVE-2022-41137 hive-metastore: org.apache.hive:hive-metastore: Apache Hive: D...

Keywords:
Status:	NEW
Alias:	CVE-2022-41137
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-05 11:01 UTC by OSIDB Bzimport
Modified:	2025-01-29 15:28 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-12-05 11:01:05 UTC

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.

In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

Note You need to log in before you can comment on or make changes to this bug.