1303041 – (CVE-2015-7521) CVE-2015-7521 Apache Hive: authorization vulnerability

Bug 1303041 (CVE-2015-7521) - CVE-2015-7521 Apache Hive: authorization vulnerability

Summary: CVE-2015-7521 Apache Hive: authorization vulnerability

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-7521
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1303042
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-29 11:58 UTC by Andrej Nemec
Modified:	2021-10-21 00:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-21 00:49:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2016-01-29 11:58:02 UTC

The following flaw was reported in Apache Hive:

Some partition-level operations exist that do not explicitly also
authorize privileges of the parent table. This can lead to issues when
the parent table would have denied the operation, but no denial occurs
because the partition-level privilege is not checked by the
authorization framework, which defines authorization entities only
from the table level upwards.

This issue is known to affect Hive clusters protected by both Ranger
as well as SqlStdHiveAuthorization.

External reference:

http://seclists.org/bugtraq/2016/Jan/157

Comment 1 Andrej Nemec 2016-01-29 11:59:05 UTC

Created hive tracking bugs for this issue:

Affects: fedora-all [bug 1303042]

Comment 2 Andrej Nemec 2016-02-18 09:20:50 UTC

Updated external reference:

http://seclists.org/oss-sec/2016/q1/368

Note You need to log in before you can comment on or make changes to this bug.