CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass
carefully crafted XML to access arbitrary files

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: This vulnerability affects all versions from 0.6.0

Description: Malicious user might use any xpath UDFs
to expose the content of a file on the machine running HiveServer2
owned by HiveServer2 user (usually hive) if

Mitigation: Users who use xpath UDFs in HiveServer2 and
hive.server2.enable.doAs=false are recommended to upgrade to 2.3.3, or
update to the head of branch-2.3 and rebuild
If these functions are not being used at present, you can also
disable its use by adding them to the value of the config

Reply via email to