[HIVE-9934] Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.1.0
Fix Version/s: 1.2.0
Component/s: Security
Labels:
None

Description

Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password.

See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
“If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS environment property, then the authentication mechanism will be "none". This is because the LDAP requires the password to be nonempty for simple authentication. The protocol automatically converts the authentication to "none" if a password is not supplied.”

Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException being thrown during creation of initial context, it does not fail when the context result is an “unauthenticated” positive response from the LDAP server. The end result is, one can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user name and an empty password.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-9934.3.patch
17/Mar/15 14:16
3 kB
Xuefu Zhang
HIVE-9934.3.patch
17/Mar/15 02:47
3 kB
Chao Sun
HIVE-9934.2.patch
16/Mar/15 20:55
3 kB
Chao Sun
HIVE-9934.1.patch
11/Mar/15 21:41
1.0 kB
Chao Sun

Issue Links

relates to

HIVE-9990 TestMultiSessionsHS2WithLocalClusterSpark is failing

Resolved

Activity

People

Assignee:: Chao Sun

Reporter:: Chao Sun

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 11/Mar/15 21:11

Updated:: 18/May/15 19:50

Resolved:: 17/Mar/15 22:06