CVE-2018-1284
Description
In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Hive 0.6.0 to 2.3.2, XPath UDFs can expose file contents when the doAs setting is disabled.
Vulnerability
In Apache Hive versions 0.6.0 through 2.3.2, a malicious user can leverage any XPath user-defined function (UDF) — xpath, xpath_string, xpath_boolean, xpath_number, xpath_double, xpath_float, xpath_long, xpath_int, or xpath_short — to read the content of a file on the machine running HiveServer2. This is possible only if the configuration property hive.server2.enable.doAs is set to false, which causes HiveServer2 to run all queries under the system user (usually hive) rather than the requesting user [1][4]. The vulnerability exists because the XPath parser in UDFXPathUtil processes XML external entity (XXE) references without proper sanitization [2][3].
Exploitation
An attacker must have the ability to submit Hive queries containing an XPath UDF with a crafted XML payload that includes external entity references pointing to a local file (e.g., /etc/passwd). The attacker does not need special privileges beyond query submission, but the attack only succeeds when hive.server2.enable.doAs=false, meaning all queries execute as the HiveServer2 user. No user interaction beyond query execution is required; the XXE payload is processed server-side during XPath evaluation [1][3].
Impact
Successful exploitation allows an unprivileged user to read any file on the HiveServer2 host that is accessible by the HiveServer2 process user (typically hive). This can lead to disclosure of sensitive information such as configuration files, database credentials, or other secrets stored on the server. The impact is limited to information disclosure (confidentiality) and does not directly enable code execution or privilege escalation [1][4].
Mitigation
Apache Hive 2.3.3, released on April 24, 2018, fixes the vulnerability by disabling XXE processing in the UDFXPathUtil class. The patch initializes a DocumentBuilder with security features (e.g., http://xml.org/sax/features/external-general-entities) set to reject external entities [2][3]. Users should upgrade to Hive 2.3.3 or later. If an immediate upgrade is not possible, setting hive.server2.enable.doAs=true reduces the risk by ensuring queries run with the user's own privileges, though this is a configuration change that must be evaluated against operational requirements [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hive:hiveMaven | >= 0.6.0, < 2.3.3 | 2.3.3 |
org.apache.hive:hive-execMaven | >= 0.6.0, < 2.3.3 | 2.3.3 |
org.apache.hive:hive-serviceMaven | >= 0.6.0, < 2.3.3 | 2.3.3 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.apache.hive/hivepkg:maven/org.apache.hive/hive-execpkg:maven/org.apache.hive/hive-service
>= 0.6.0, < 2.3.3+ 2 more
- (no CPE)range: >= 0.6.0, < 2.3.3
- (no CPE)range: >= 0.6.0, < 2.3.3
- (no CPE)range: >= 0.6.0, < 2.3.3
- Apache Software Foundation/Apache Hivev5Range: 0.6.0 to 2.3.2
Patches
1f80a38ae1174HIVE-18879: Disallow embedded element in UDFXPathUtil needs to work if xercesImpl.jar in classpath (Daniel Dai, reviewed by Thejas Nair)
2 files changed · +48 −2
ql/src/java/org/apache/hadoop/hive/ql/udf/xml/UDFXPathUtil.java+26 −1 modified@@ -23,6 +23,9 @@ import java.io.StringReader; import javax.xml.namespace.QName; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathConstants; import javax.xml.xpath.XPathExpression; @@ -38,9 +41,15 @@ * of this class. */ public class UDFXPathUtil { + public static final String SAX_FEATURE_PREFIX = "http://xml.org/sax/features/"; + public static final String EXTERNAL_GENERAL_ENTITIES_FEATURE = "external-general-entities"; + public static final String EXTERNAL_PARAMETER_ENTITIES_FEATURE = "external-parameter-entities"; + private DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + private DocumentBuilder builder = null; private XPath xpath = XPathFactory.newInstance().newXPath(); private ReusableStringReader reader = new ReusableStringReader(); private InputSource inputSource = new InputSource(reader); + private XPathExpression expression = null; private String oldPath = null; @@ -66,15 +75,31 @@ public Object eval(String xml, String path, QName qname) { return null; } + if (builder == null){ + try { + initializeDocumentBuilderFactory(); + builder = dbf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + throw new RuntimeException("Error instantiating DocumentBuilder, cannot build xml parser", e); + } + } + reader.set(xml); try { - return expression.evaluate(inputSource, qname); + return expression.evaluate(builder.parse(inputSource), qname); } catch (XPathExpressionException e) { throw new RuntimeException ("Invalid expression '" + oldPath + "'", e); + } catch (Exception e) { + throw new RuntimeException("Error loading expression '" + oldPath + "'", e); } } + private void initializeDocumentBuilderFactory() throws ParserConfigurationException { + dbf.setFeature(SAX_FEATURE_PREFIX + EXTERNAL_GENERAL_ENTITIES_FEATURE, false); + dbf.setFeature(SAX_FEATURE_PREFIX + EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); + } + public Boolean evalBoolean(String xml, String path) { return (Boolean) eval(xml, path, XPathConstants.BOOLEAN); }
ql/src/test/org/apache/hadoop/hive/ql/udf/xml/TestUDFXPathUtil.java+22 −1 modified@@ -20,12 +20,15 @@ import javax.xml.xpath.XPathConstants; +import org.apache.commons.io.FileUtils; import org.junit.Test; import org.w3c.dom.Node; import org.w3c.dom.NodeList; import static org.junit.Assert.*; +import java.io.File; + public class TestUDFXPathUtil { @Test @@ -78,5 +81,23 @@ public void testEvalPositive() { assertTrue(result instanceof NodeList); assertEquals(5, ((NodeList)result).getLength()); } - + + @Test + public void testEmbedFailure() throws Exception { + + String secretValue = String.valueOf(Math.random()); + File tempFile = File.createTempFile("verifyembed", ".tmp"); + tempFile.deleteOnExit(); + String fname = tempFile.getAbsolutePath(); + + FileUtils.writeStringToFile(tempFile, secretValue); + + String xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" + + "<!DOCTYPE test [ \n" + + " <!ENTITY embed SYSTEM \"" + fname + "\"> \n" + + "]>\n" + + "<foo>&embed;</foo>"; + String evaled = new UDFXPathUtil().evalString(xml, "/foo"); + assertTrue(evaled.isEmpty()); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rxmr-c9jm-7mm8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1284ghsaADVISORY
- www.securityfocus.com/bid/103750ghsavdb-entryx_refsource_BIDWEB
- github.com/apache/hive/commit/f80a38ae1174553022deae4f8774918401d9756dghsaWEB
- issues.apache.org/jira/browse/HIVE-18879ghsaWEB
- lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4%40%3Cdev.hive.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4@%3Cdev.hive.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.