Hortonworks Data Platform
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) that are addressed in this release.

CVE-2018-1331

Component: Storm

Summary: An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Severity: Moderate

Vendor: Hortonworks

Versions Affected: HDP 3.0.0, HDP 3.0.1, HDP 2.6.x and HDF 3.2 or earlier

Users Affected: Users with Storm deployed in a secure cluster.

Impact: See STORM-3026. An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Recommended Action: Upgrade to HDP 3.1 or HDF 3.3. After upgrading, the following configs needs to be set to enforce these ACL checks.storm.nimbus.zookeeper.acls.check: truestorm.nimbus.zookeeper.acls.fixup: true.

CVE-2018-1332

Component: Storm

Summary: In a secure Storm cluster an attacker could impersonate another user when communicating with some Storm Daemons.

Severity: Moderate

Vendor: Hortonworks

Versions Affected: HDP 3.0.0, HDP 2.6.x, HDF 3.2 and earlier

Users Affected: Users with Storm deployed in a secure cluster.

Impact: See STORM-3027. The affected Storm versions expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.

Recommended Action: Upgrade to HDP 3.1 or HDF 3.3.

CVE-2018-11777

Component: Hive/Hive2

Summary: Local resources on HiveServer2 machines are not properly protected against malicious user if Ranger or SQL Standard Authorizer is not in use.

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1

Users Affected: This affects only configurations of HDP where Ranger or SQL Standard Authorization is not enabled.

Impact: Local resource on HiveServer2 machine will be read/written by arbitrary Hive user if Ranger or SQL Standard Authorization is not in use.

Recommended Action: It is recommended to upgrade a HDP version with the fix if HiveServer2 is used, and Ranger or SQL Standard Authorizer is not in use. Admin needs to specify the following entries in the hiveserver2-site.xml file:
<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.security.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback. FallbackHiveAuthorizerFactory</value>
</property>

CVE-2018-1314

Component: Hive/Hive2

Summary: Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1

Impact: Hive metadata and statistics is not secure against unauthorized Hive user.

Recommended Action: Upgrading to an HDP version with the fix will address the problem. HDP versions with fix:
  • 3.0.1.3 (If current version is HDP 3.0.x)
  • 2.6.5.54 (If current version is HDP HDP-2.6.5.0)
  • 2.6.5.1003 (If current version is HDP 2.6.5.100* versions released for Data Lifecycle Manager support)