org.apache.hive:hive-hplsql@2.3.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.hive:hive-hplsql package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Arbitrary File Write

org.apache.hive:hive-hplsql is a data warehouse software facilitates reading, writing, and managing large datasets residing in distributed storage using SQL.

Affected versions of this package are vulnerable to Arbitrary File Write via the File Transfer Protocol (FTP) client functionality. Hive gives an SQL-like interface to query data stored in various databases and file systems that integrate with Hadoop. Among other things, it supports copying data from FTP servers, using the COPY-FROM-FTP command.

COPY FROM FTP host [USER user [PWD password]] [DIR directory] [FILES files_wildcard]
  [TO [LOCAL] target_directory] [options]

options:
  OVERWRITE | NEW
  SUBDIR
  SESSIONS num  

A possible attack can be overriding the ssh authorized_keys file for the root user, making it possible to login as root later on. Assumming that Apache Hive instance connects to the attacker's malicious FTP server, to download some merchant data daily, by using the following query:

COPY FROM FTP remote.merchant.domain.com
  USER 'foo' PWD '***'
  DIR data/sales/in FILES  '.*'
  TO /data/sales/raw OVERWRITE

The malicious FTP server would send back path traversal filenames to the client. For instance, responding to a LIST command with ../../../../../../../home/root/.ssh/authorized_keys.

When Hive executes the above statement (assuming it’s running as root), root’s authorized_keys ssh file will be overwritten with one known by the attacker.

How to fix Arbitrary File Write?

Upgrade org.apache.hive:hive-hplsql to version 2.3.3 or higher.

[2.1.0,2.3.3)