CVE-2024-54660

Name of the Vulnerable Software and Affected Versions Cloudera JDBC Connector for Hive versions prior to 2.6.26 Cloudera JDBC Connector for Impala versions prior to 2.6.35

Description A JNDI injection issue was discovered, allowing attackers to inject malicious parameters into the JDBC URL. This could lead to remote code execution. The JNDI injection is possible via the JDBC connection property krbJAASFile for the Java Authentication and Authorization Service (JAAS). Using untrusted parameters in the krbJAASFile and/or remote host can trigger JNDI injection in the JDBC URL through the krbJAASFile.

Recommendations For Cloudera JDBC Connector for Hive versions prior to 2.6.26, update to version 2.6.26 or later. For Cloudera JDBC Connector for Impala versions prior to 2.6.35, update to version 2.6.35 or later. As a temporary workaround, consider restricting the use of the krbJAASFile property in the JDBC connection to minimize the risk of exploitation. Avoid using untrusted parameters in the krbJAASFile and/or remote host.