[
https://issues.apache.org/jira/browse/HIVE-22150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924495#comment-16924495
]
Alan Gates commented on HIVE-22150:
-----------------------------------
Looks good to me. Any feedback [~thejas], [~vaibhgup] or others who have
worked more on HS2 than me?
> HS2 allows setting system properties
> ------------------------------------
>
> Key: HIVE-22150
> URL: https://issues.apache.org/jira/browse/HIVE-22150
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Affects Versions: 4.0.0, 3.1.1
> Reporter: Craig Condit
> Assignee: Hui An
> Priority: Major
> Attachments: HIVE-22150.patch.1, HIVE-22150.patch.2
>
>
> HiveServer2 currently allows setting system properties, which is a problem
> when used in a multi-user environment.
> Connecting via beeline and executing the following demonstrates the issue:
> {noformat}
> 0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir;
> +-----------------------------+
> | set |
> +-----------------------------+
> | system:java.io.tmpdir=/tmp |
> +-----------------------------+
> 1 row selected (0.018 seconds)
> 0: jdbc:hive2://serv1000.example.com:2181,serv> SET
> system:java.io.tmpdir=/tmp/attacker-dir;
> No rows affected (0.013 seconds)
> 0: jdbc:hive2://serv1000.example.com:2181,serv> SET system:java.io.tmpdir;
> +------------------------------------------+
> | set |
> +------------------------------------------+
> | system:java.io.tmpdir=/tmp/attacker-dir |
> +------------------------------------------+
> 1 row selected (0.019 seconds)
> {noformat}
> Any changes persist until HS2 is restarted, and affect all connected users.
> At the very least, this is a denial-of-service vector (verified by setting
> line.separator to a random string).
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
