[HIVE-22150] HS2 allows setting system properties - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Patch Available
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.1.1, 4.0.0
Fix Version/s: None
Component/s: HiveServer2
Labels:
None

Description

HiveServer2 currently allows setting system properties, which is a problem when used in a multi-user environment.

Connecting via beeline and executing the following demonstrates the issue:

0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir;
+-----------------------------+
|             set             |
+-----------------------------+
| system:java.io.tmpdir=/tmp  |
+-----------------------------+
1 row selected (0.018 seconds)
0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir=/tmp/attacker-dir;
No rows affected (0.013 seconds)
0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir;
+------------------------------------------+
|                   set                    |
+------------------------------------------+
| system:java.io.tmpdir=/tmp/attacker-dir  |
+------------------------------------------+
1 row selected (0.019 seconds)

Any changes persist until HS2 is restarted, and affect all connected users. At the very least, this is a denial-of-service vector (verified by setting line.separator to a random string).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-22150.patch.2
30/Aug/19 03:12
6 kB
Hui An
HIVE-22150.patch.1
29/Aug/19 03:32
4 kB
Hui An

Activity

People

Assignee:: Hui An

Reporter:: Craig Condit

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 27/Aug/19 19:22

Updated:: 05/Nov/19 07:06