CVE-2023-35701
📋 TL;DR
This CVE describes a code injection vulnerability in Apache Hive's JDBC driver that allows arbitrary code execution on client systems. Attackers can exploit it by tricking users into connecting to malicious HTTP servers via manipulated JDBC URLs. It affects Hive users running JDBC clients with vulnerable driver versions.
💻 Affected Systems
- Apache Hive
📦 What is this software?
Hive by Apache
Hive by Apache
Hive by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with privileged code execution on the JDBC client machine, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Limited code execution within the JDBC client process context, potentially allowing data exfiltration or further privilege escalation.
If Mitigated
No impact if proper URL validation and least privilege principles are followed, or if patched version is used.
🎯 Exploit Status
Exploitation requires setting up a malicious HTTP server and convincing users to connect via manipulated JDBC URLs. The client process must run with sufficient privileges for full impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0
Vendor Advisory: https://lists.apache.org/thread/7zcv6l63spl4r66xwz5jv9rtrg2opx81
Restart Required: Yes
Instructions:
1. Download Apache Hive 4.0.0 or later from official Apache repositories. 2. Replace the vulnerable JDBC driver JAR files with the patched versions. 3. Restart all applications using the Hive JDBC driver. 4. Update any build dependencies to reference the new version.
🔧 Temporary Workarounds
Restrict JDBC URL Sources
allOnly allow JDBC connections to trusted, pre-approved servers and prevent users from specifying arbitrary JDBC URLs.
Run JDBC Clients with Least Privilege
allEnsure Hive JDBC client processes run with minimal system privileges to limit potential damage from exploitation.
🧯 If You Can't Patch
- Implement strict network controls to prevent JDBC connections to untrusted servers
- Use application allowlisting to prevent execution of unauthorized code on client systems
🔍 How to Verify
Check if Vulnerable:
Check the Hive JDBC driver version in use. If using version 4.0.0-alpha-1 through any version before 4.0.0, the system is vulnerable.Check Version:
java -cp hive-jdbc-*.jar org.apache.hive.jdbc.HiveDriver --version (if supported) or check JAR manifest: jar tf hive-jdbc-*.jar | grep META-INF/MANIFEST.MF && jar xf hive-jdbc-*.jar META-INF/MANIFEST.MF && cat META-INF/MANIFEST.MFVerify Fix Applied:
Verify that Hive JDBC driver version is 4.0.0 or later by checking the JAR file metadata or version properties.📡 Detection & Monitoring
Log Indicators:
- Unusual JDBC connection attempts to unknown IP addresses
- Error logs showing failed JDBC connections with unusual error patterns
- Process execution logs showing unexpected commands from JDBC client processes
Network Indicators:
- JDBC connections to non-standard ports or unfamiliar domains
- HTTP traffic from JDBC clients to suspicious servers
SIEM Query:
source="*hive*" AND (url="*jdbc:hive2://*" OR process="*java*" AND cmdline="*hive*jdbc*") AND dest_ip NOT IN [trusted_server_list]