1564357 – (CVE-2018-1284) CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML

Bug 1564357 (CVE-2018-1284) - CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML

Summary: CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to acc...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1284
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1564358
Blocks:	1564360
TreeView+	depends on / blocked

Reported:	2018-04-06 04:11 UTC by Sam Fowler
Modified:	2021-10-21 19:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:	hive 2.3.3, hive 3.0.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-21 19:59:36 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-04-06 04:11:46 UTC

Apache Hive through version 2.3.2 is vulnerable to the mishandling of xpath UDFs in UDFXPathUtil.java. An attacker could exploit this by passing crafted XML to access arbitrary files.


External References:

https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4@%3Cdev.hive.apache.org%3E


Upstream Issue:

https://issues.apache.org/jira/browse/HIVE-18879


Upstream Patches:

https://issues.apache.org/jira/secure/attachment/12913270/HIVE-18879.1.patch
https://issues.apache.org/jira/secure/attachment/12913453/HIVE-18879.1-branch-2.3.patch

Comment 1 Sam Fowler 2018-04-06 04:12:12 UTC

Created hive tracking bugs for this issue:

Affects: fedora-all [bug 1564358]

Note You need to log in before you can comment on or make changes to this bug.