PT-2015-5437 · Ibm+1 · Ibm Infosphere Biginsights+1

Thomas Rega

Published

2015-12-21

Updated

2019-03-14

CVE-2015-1772

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Apache Hive versions prior to 1.0.1 Apache Hive versions 1.1.x prior to 1.1.1 IBM InfoSphere BigInsights versions 3.0, 3.0.0.1, and 3.0.0.2

Description The issue concerns the LDAP implementation in HiveServer2, which improperly handles simple unauthenticated and anonymous bind configurations. This allows remote attackers to bypass authentication by sending a crafted LDAP request.

Recommendations For Apache Hive versions prior to 1.0.1, update to version 1.0.1 or later. For Apache Hive versions 1.1.x prior to 1.1.1, update to version 1.1.1 or later. For IBM InfoSphere BigInsights versions 3.0, 3.0.0.1, and 3.0.0.2, consider restricting access to the LDAP implementation until a patch or update is available.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2015-1772

GHSA-5GVM-HRW5-H6XF

Affected Products

Apache Hive

Ibm Infosphere Biginsights

PT-2015-5437 · Ibm+1 · Ibm Infosphere Biginsights+1

CVE-2015-1772

Weakness Enumeration

Related Identifiers

Affected Products

References · 8