Missing Authentication for Critical Function in Apache Hive

#VU76481 Missing Authentication for Critical Function in Apache Hive

Cybersecurity Help s.r.o.

Published: 2023-05-24

Vulnerability identifier: #VU76481

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-34538

CWE-ID: CWE-306

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Hive
Server applications / Database software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to CREATE() and DROP() function operations does not check for necessary authorization of involved entities in the query. A remote unauthenticated attacker can manipulate an existing UDF to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Hive: 3.1.0 - 3.1.2

External links
http://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in IBM Operations Analytics Predictive Insights

Missing authentication for critical function in IBM InfoSphere Information Server