[jira] [Updated] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xuefu Zhang updated HIVE-9934: -- Attachment: HIVE-9934.4.patch Update the patch, adding @Test annotation. Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password -- Key: HIVE-9934 URL: https://issues.apache.org/jira/browse/HIVE-9934 Project: Hive Issue Type: Bug Components: Security Affects Versions: 1.1.0 Reporter: Chao Assignee: Chao Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, HIVE-9934.3.patch, HIVE-9934.4.patch Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password. See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be none. This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to none if a password is not supplied.” Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xuefu Zhang updated HIVE-9934: -- Attachment: (was: HIVE-9934.4.patch) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password -- Key: HIVE-9934 URL: https://issues.apache.org/jira/browse/HIVE-9934 Project: Hive Issue Type: Bug Components: Security Affects Versions: 1.1.0 Reporter: Chao Assignee: Chao Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, HIVE-9934.3.patch Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password. See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be none. This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to none if a password is not supplied.” Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xuefu Zhang updated HIVE-9934: -- Attachment: HIVE-9934.3.patch Attached the same patch for another test run. Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password -- Key: HIVE-9934 URL: https://issues.apache.org/jira/browse/HIVE-9934 Project: Hive Issue Type: Bug Components: Security Affects Versions: 1.1.0 Reporter: Chao Assignee: Chao Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, HIVE-9934.3.patch Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password. See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be none. This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to none if a password is not supplied.” Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[
https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chao updated HIVE-9934:
---
Attachment: HIVE-9934.2.patch
(cc [~prasadm] [~xuefuz]). I was able to reproduce the issue after disabling
JDBC authentication and use the Hadoop provided {{SaslPlainServerFactory}}. I
need to do the latter because Hive provided Sasl server implementation checks
the case when password is empty, therefore the issue could be prevented.
However, if the Hadoop version class gets loaded first (which doesn't check
whether password is null or empty), then the issue could still happen.
In this patch I also included a simple uni test. Desirably we should write an
end-to-end test, however that involves non-trivial work. I'll put that in a
follow-up JIRA.
Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to
degrade the authentication mechanism to none, allowing authentication
without password
--
Key: HIVE-9934
URL: https://issues.apache.org/jira/browse/HIVE-9934
Project: Hive
Issue Type: Bug
Components: Security
Affects Versions: 1.1.0
Reporter: Chao
Assignee: Chao
Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch
Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to
degrade the authentication mechanism to none, allowing authentication
without password.
See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
“If you supply an empty string, an empty byte/char array, or null to the
Context.SECURITY_CREDENTIALS environment property, then the authentication
mechanism will be none. This is because the LDAP requires the password to
be nonempty for simple authentication. The protocol automatically converts
the authentication to none if a password is not supplied.”
Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a
NamingException being thrown during creation of initial context, it does not
fail when the context result is an “unauthenticated” positive response from
the LDAP server. The end result is, one can authenticate with HiveServer2
using the LdapAuthenticationProviderImpl with only a user name and an empty
password.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password
[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chao updated HIVE-9934: --- Attachment: HIVE-9934.1.patch Check if password is null or blank. If so, throw exception. Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password -- Key: HIVE-9934 URL: https://issues.apache.org/jira/browse/HIVE-9934 Project: Hive Issue Type: Bug Components: Security Affects Versions: 1.1.0 Reporter: Chao Assignee: Chao Attachments: HIVE-9934.1.patch Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to none, allowing authentication without password. See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be none. This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to none if a password is not supplied.” Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
