[
https://issues.apache.org/jira/browse/HIVE-29212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Riju Trivedi updated HIVE-29212:
--------------------------------
Security: (was: Non-Public)
> Function creation with blacklisted UDFs poses a security risk
> -------------------------------------------------------------
>
> Key: HIVE-29212
> URL: https://issues.apache.org/jira/browse/HIVE-29212
> Project: Hive
> Issue Type: Bug
> Components: Hive
> Affects Versions: 4.0.0
> Reporter: Riju Trivedi
> Assignee: Riju Trivedi
> Priority: Critical
> Labels: security
>
> Blacklisted UDFs configured via {{hive.server2.builtin.udf.blacklist}} (e.g.,
> {{{}reflect{}}}, {{{}reflect2{}}}, {{{}java_method{}}}, {{{}in_file{}}})
> cannot be invoked directly. However, the underlying classes (such as
> {{{}org.apache.hadoop.hive.ql.udf.generic.GenericUDFReflect{}}}) are still
> shipped in {{hive-exec.jar}} and remain accessible through {*}temporary or
> permanent function creation{*}.
> A user with the {{CREATE TEMPORARY FUNCTION}} privilege can register one of
> these classes as a temporary UDF and invoke it. This bypasses the blacklist
> restrictions and enables *arbitrary code execution under the Hive service
> user causing full access to Kerberos ticket and sensitive HDFS data.*
> *Steps to replicate:*
> {{CREATE TEMPORARY FUNCTION my_tempudf AS
> 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFReflect';}}
> {{SELECT my_tempudf("java.lang.Runtime", "exec", "...")}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
