Chao created HIVE-9934:
--------------------------
Summary: Vulnerability in LdapAuthenticationProviderImpl enables
HiveServer2 client to degrade the authentication mechanism to "none", allowing
authentication without password
Key: HIVE-9934
URL: https://issues.apache.org/jira/browse/HIVE-9934
Project: Hive
Issue Type: Bug
Components: Security
Affects Versions: 1.1.0
Reporter: Chao
Assignee: Chao
Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to
degrade the authentication mechanism to "none", allowing authentication without
password.
See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
“If you supply an empty string, an empty byte/char array, or null to the
Context.SECURITY_CREDENTIALS environment property, then the authentication
mechanism will be "none". This is because the LDAP requires the password to be
nonempty for simple authentication. The protocol automatically converts the
authentication to "none" if a password is not supplied.”
Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a
NamingException being thrown during creation of initial context, it does not
fail when the context result is an “unauthenticated” positive response from the
LDAP server. The end result is, one can authenticate with HiveServer2 using the
LdapAuthenticationProviderImpl with only a user name and an empty password.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
