oss-security - CVE-2022-41137: Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <d9ad5b1e-d9a8-ec57-82ef-dfbfbfb59e37@apache.org>
Date: Wed, 04 Dec 2024 13:28:56 +0000
From: Stamatis Zampetakis <zabetak@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-41137: Apache Hive: Deserialization of untrusted data
 when fetching partitions from the Metastore 

Severity: moderate

Affected versions:

- Apache Hive 4.0.0-alpha-1 before 4.0.0

Description:

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.

In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

This issue is being tracked as HIVE-26539 

Credit:

Junjie Liao (reporter)

References:

https://github.com/apache/hive
https://issues.apache.org/jira/browse/HIVE-26539
https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9
https://hive.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-41137
https://issues.apache.org/jira/browse/HIVE-26539

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.