Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
3.1.1, 4.0.0
-
None
-
None
Description
HiveServer2 currently allows setting system properties, which is a problem when used in a multi-user environment.
Connecting via beeline and executing the following demonstrates the issue:
0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir; +-----------------------------+ | set | +-----------------------------+ | system:java.io.tmpdir=/tmp | +-----------------------------+ 1 row selected (0.018 seconds) 0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir=/tmp/attacker-dir; No rows affected (0.013 seconds) 0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir; +------------------------------------------+ | set | +------------------------------------------+ | system:java.io.tmpdir=/tmp/attacker-dir | +------------------------------------------+ 1 row selected (0.019 seconds)
Any changes persist until HS2 is restarted, and affect all connected users. At the very least, this is a denial-of-service vector (verified by setting line.separator to a random string).