[
https://issues.apache.org/jira/browse/HIVE-29269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18040777#comment-18040777
]
Stamatis Zampetakis commented on HIVE-29269:
--------------------------------------------
Hey [~wukongtencent] , the 4.2.0 release is out and the official announcement
of this CVE was send out a few minutes ago
([https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g)] . I also
changed the visibility of this ticket to public so from now on you can speak
about it publicly. Thanks again for reporting it and many thanks to everyone
else who helped to bring this to conclusion.
> SQL injection vulnerability when processing delete column statistics requests
> via the HMS Thrift APIs
> -----------------------------------------------------------------------------------------------------
>
> Key: HIVE-29269
> URL: https://issues.apache.org/jira/browse/HIVE-29269
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore, Thrift API
> Affects Versions: 4.1.0
> Reporter: WuKong
> Assignee: Krisztian Kasa
> Priority: Blocker
> Labels: hive-4.2.0-must, security, sql-injection
> Fix For: 4.2.0
>
> Attachments: HIVE-29269.patch
>
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> h3. *Vulnerability Summary*
> The latest version of the Apache Hive code *contains a SQL injection*
> *vulnerability* when processing requests to delete column statistics. This
> vulnerability enables attackers to execute arbitrary SQL code via maliciously
> crafted requests.
> h3.
> h3. *Vulnerability Details*
> h3. *1. Entry Point*
> {color:#ff8b00}*File*{color}{color:#ff8b00}:{color}
> standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HMSHandler.java
> {color:#ff8b00}*Line 7363*{color}{color:#ff8b00}:{color} The
> delete_column_statistics_req function receives DeleteColumnStatisticsRequest
> from Thrift clients:
> _public boolean delete_column_statistics_req(DeleteColumnStatisticsRequest
> {*}req{*})_
>
> {color:#ff8b00}*Same file, line 7367*{color}: Directly extracts the
> '*_engine_*' parameter from user request without any validation:
> _String engine = req.getEngine();_
> h3.
> h3. *2. Dangerous Parameter Propagation*
>
> {color:#ff8b00}*Same file, line 7387*{color}{color:#ff8b00}*:* {color}Calls
> rawStore.deleteTableColumnStatistics method, passing unvalidated dangerous
> parameters:'{_}*engine*{_}' to it:
> _ret = rawStore.deleteTableColumnStatistics(parsedDbName[CAT_NAME],
> parsedDbName[DB_NAME], tableName, colNames, {*}engine{*});_
>
> {*}{color:#ff8b00}File{color}{*}*{color:#ff8b00}:{color}*
> standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java
> {color:#ff8b00}*Line 10354*{color}{color:#ff8b00}*:*{color} In the
> deleteTableColumnStatistics function, the parameter '*{_}engine{_}'* comes
> from the previous call (that is, unvalidated user input):
> _public boolean deleteTableColumnStatistics(String catName, String dbName,
> String tableName, List<String> colNames, String {*}engine{*})_
>
> {color:#ff8b00}*Line 10368:* {color}Inside the deleteTableColumnStatistics
> function, the '*_engine_*' parameter remains unvalidated and is directly
> passed into the call:
> _return directSql.deleteTableColumnStatistics(getTable().getId(), colNames,
> {*}engine{*});_
> h3. *3. SQL Injection Vulnerability Triggering*
> {color:#ff8b00}*File*{color}*:*
> standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/MetaStoreDirectSql.java
> {color:#ff8b00}*Line 3245*{color}{color:#ff8b00}*:*{color} The
> deleteTableColumnStatistics function begins constructing SQL statement:
> _public boolean deleteTableColumnStatistics(long tableId, List<String>
> colNames, String {*}engine{*})_
>
> {color:#ff8b00}*Line 3246*{color}: Initializes base SQL:
> _String deleteSql = "delete from " + TAB_COL_STATS + " where \"TBL_ID\" = " +
> tableId;_
>
> {color:#ff8b00}*Line 3250*{color}: Directly concatenates '{*}_engine'_{*}
> parameter into SQL without escaping:
> _if (engine != null) {_
> _deleteSql += " and \"ENGINE\" = '" + {color:#ff8b00}*engine*{color} + "'";_
> _}_
>
> {color:#ff8b00}*Line 3254*{color}: The SQL statement spliced with user input:
> '{*}_deleteSql'_{*} is passed into the function executeNoResult.
> _executeNoResult(deleteSql);_
>
> {color:#ff8b00}*Line 352*{color}{color:#ff8b00}*-367*{color}:The SQL
> statement is directly executed through the execute function without any
> parameterization:
> _private void executeNoResult(final String {*}queryText{*}) throws
> SQLException {_
> _JDOConnection jdoConn = pm.getDataStoreConnection();_
> _Statement statement = null;_
> _boolean doTrace = LOG.isDebugEnabled();_
> _try {_
> _long start = doTrace ? System.nanoTime() : 0;_
> _statement = ((Connection)jdoConn.getNativeConnection()).createStatement();_
> {color:#de350b}*_statement.execute(queryText); //SQL injection !!_*{color}
> _MetastoreDirectSqlUtils.timingTrace(doTrace, queryText, start, doTrace ?
> System.nanoTime() : 0);_
> _} finally {_
> _if(statement != null){_
> _statement.close();_
> _}_
> _jdoConn.close(); // We must release the connection before we call other pm
> methods._
> _}_
> h2. *Remediation Recommendations*
> *1.* Use parameterized queries instead of string concatenation
> *2.* Add input validation in DeleteColumnStatisticsRequest.java
> *3.* Implement whitelist mechanism for '{_}engine{_} parameter
>
> We look forward to your prompt response and kindly request the assignment of
> a CVE identifier for this vulnerability.
> Sincerely, Wukong Code Security Team of Tencent
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
