[
https://issues.apache.org/jira/browse/HIVE-29269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HIVE-29269:
----------------------------------
Labels: hive-4.2.0-must pull-request-available security sql-injection
(was: hive-4.2.0-must security sql-injection)
> SQL injection vulnerability when processing delete column statistics requests
> via the HMS Thrift APIs
> -----------------------------------------------------------------------------------------------------
>
> Key: HIVE-29269
> URL: https://issues.apache.org/jira/browse/HIVE-29269
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore, Thrift API
> Affects Versions: 4.1.0
> Reporter: WuKong
> Assignee: Krisztian Kasa
> Priority: Blocker
> Labels: hive-4.2.0-must, pull-request-available, security,
> sql-injection
> Fix For: 4.2.0
>
> Attachments: HIVE-29269.patch
>
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> h3. *Vulnerability Summary*
> The latest version of the Apache Hive code *contains a SQL injection*
> *vulnerability* when processing requests to delete column statistics. This
> vulnerability enables attackers to execute arbitrary SQL code via maliciously
> crafted requests.
> h3.
> h3. *Vulnerability Details*
> h3. *1. Entry Point*
> {color:#ff8b00}*File*{color}{color:#ff8b00}:{color}
> standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HMSHandler.java
> {color:#ff8b00}*Line 7363*{color}{color:#ff8b00}:{color} The
> delete_column_statistics_req function receives DeleteColumnStatisticsRequest
> from Thrift clients:
> _public boolean delete_column_statistics_req(DeleteColumnStatisticsRequest
> {*}req{*})_
>
> {color:#ff8b00}*Same file, line 7367*{color}: Directly extracts the
> '*_engine_*' parameter from user request without any validation:
> _String engine = req.getEngine();_
> h3.
> h3. *2. Dangerous Parameter Propagation*
>
> {color:#ff8b00}*Same file, line 7387*{color}{color:#ff8b00}*:* {color}Calls
> rawStore.deleteTableColumnStatistics method, passing unvalidated dangerous
> parameters:'{_}*engine*{_}' to it:
> _ret = rawStore.deleteTableColumnStatistics(parsedDbName[CAT_NAME],
> parsedDbName[DB_NAME], tableName, colNames, {*}engine{*});_
>
> {*}{color:#ff8b00}File{color}{*}*{color:#ff8b00}:{color}*
> standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java
> {color:#ff8b00}*Line 10354*{color}{color:#ff8b00}*:*{color} In the
> deleteTableColumnStatistics function, the parameter '*{_}engine{_}'* comes
> from the previous call (that is, unvalidated user input):
> _public boolean deleteTableColumnStatistics(String catName, String dbName,
> String tableName, List<String> colNames, String {*}engine{*})_
>
> {color:#ff8b00}*Line 10368:* {color}Inside the deleteTableColumnStatistics
> function, the '*_engine_*' parameter remains unvalidated and is directly
> passed into the call:
> _return directSql.deleteTableColumnStatistics(getTable().getId(), colNames,
> {*}engine{*});_
> h3. *3. SQL Injection Vulnerability Triggering*
> {color:#ff8b00}*File*{color}*:*
> standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/MetaStoreDirectSql.java
> {color:#ff8b00}*Line 3245*{color}{color:#ff8b00}*:*{color} The
> deleteTableColumnStatistics function begins constructing SQL statement:
> _public boolean deleteTableColumnStatistics(long tableId, List<String>
> colNames, String {*}engine{*})_
>
> {color:#ff8b00}*Line 3246*{color}: Initializes base SQL:
> _String deleteSql = "delete from " + TAB_COL_STATS + " where \"TBL_ID\" = " +
> tableId;_
>
> {color:#ff8b00}*Line 3250*{color}: Directly concatenates '{*}_engine'_{*}
> parameter into SQL without escaping:
> _if (engine != null) {_
> _deleteSql += " and \"ENGINE\" = '" + {color:#ff8b00}*engine*{color} + "'";_
> _}_
>
> {color:#ff8b00}*Line 3254*{color}: The SQL statement spliced with user input:
> '{*}_deleteSql'_{*} is passed into the function executeNoResult.
> _executeNoResult(deleteSql);_
>
> {color:#ff8b00}*Line 352*{color}{color:#ff8b00}*-367*{color}:The SQL
> statement is directly executed through the execute function without any
> parameterization:
> _private void executeNoResult(final String {*}queryText{*}) throws
> SQLException {_
> _JDOConnection jdoConn = pm.getDataStoreConnection();_
> _Statement statement = null;_
> _boolean doTrace = LOG.isDebugEnabled();_
> _try {_
> _long start = doTrace ? System.nanoTime() : 0;_
> _statement = ((Connection)jdoConn.getNativeConnection()).createStatement();_
> {color:#de350b}*_statement.execute(queryText); //SQL injection !!_*{color}
> _MetastoreDirectSqlUtils.timingTrace(doTrace, queryText, start, doTrace ?
> System.nanoTime() : 0);_
> _} finally {_
> _if(statement != null){_
> _statement.close();_
> _}_
> _jdoConn.close(); // We must release the connection before we call other pm
> methods._
> _}_
> h2. *Remediation Recommendations*
> *1.* Use parameterized queries instead of string concatenation
> *2.* Add input validation in DeleteColumnStatisticsRequest.java
> *3.* Implement whitelist mechanism for '{_}engine{_} parameter
>
> We look forward to your prompt response and kindly request the assignment of
> a CVE identifier for this vulnerability.
> Sincerely, Wukong Code Security Team of Tencent
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
