Hortonworks Data Platform for HDInsight
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) that are addressed in this release.

CVE-2018-1331

Component: Storm

Summary: An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Severity: Moderate

Vendor: Hortonworks

Versions Affected: HDP 3.0.0, HDP 3.0.1, HDP 2.6.x and HDF 3.2 or earlier

Users Affected: Users with Storm deployed in a secure cluster.

Impact: See STORM-3026. An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.

Recommended Action: Upgrade to HDP 3.1 or HDF 3.3. After upgrading, the following configs needs to be set to enforce these ACL checks.storm.nimbus.zookeeper.acls.check: truestorm.nimbus.zookeeper.acls.fixup: true.

CVE-2018-1332

Component: Storm

Summary: In a secure Storm cluster an attacker could impersonate another user when communicating with some Storm Daemons.

Severity: Moderate

Vendor: Hortonworks

Versions Affected: HDP 3.0.0, HDP 2.6.x, HDF 3.2 and earlier

Users Affected: Users with Storm deployed in a secure cluster.

Impact: See STORM-3027. The affected Storm versions expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.

Recommended Action: Upgrade to HDP 3.1.0 or HDF 3.3.

CVE-2018-11777

Component: Hive/Hive2

Summary: Local resources on HiveServer2 machines are not properly protected against malicious user if Ranger or SQL Standard Authorizer is not in use.

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1

Users Affected: This affects only configurations of HDP where Ranger or SQL Standard Authorization is not enabled.

Impact: Local resource on HiveServer2 machine will be read/written by arbitrary Hive user if Ranger or SQL Standard Authorization is not in use.

Recommended Action: It is recommended to upgrade a HDP version with the fix if HiveServer2 is used, and Ranger or SQL Standard Authorizer is not in use. Admin needs to specify the following entries in the hiveserver2-site.xml file:
<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.security.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback. FallbackHiveAuthorizerFactory</value>
</property>

CVE-2018-1314

Component: Hive/Hive2

Summary: Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1

Impact: Hive metadata and statistics is not secure against unauthorized Hive user.

Recommended Action: Upgrading to an HDP version with the fix will address the problem. HDP versions with fix:
  • 3.0.1.3 (If current version is HDP 3.0.x)
  • 2.6.5.54 (If current version is HDP HDP-2.6.5.0)
  • 2.6.5.1003 (If current version is HDP 2.6.5.100* versions released for Data Lifecycle Manager support)

CVE-2018-8008

Component: Storm

Summary: Apache Storm arbitrary file write vulnerability.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: HDP 3.0.0, HDP 2.6.5 and earlier

Impact: Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

Recommended Action: Upgrade to HDP 3.0.1 or HDP 3.1.0.