CVE-2024-54660
📋 TL;DR
This JNDI injection vulnerability in Cloudera JDBC connectors allows attackers to inject malicious parameters into JDBC URLs, potentially leading to remote code execution. It affects applications using Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. The vulnerability is triggered when untrusted parameters are used in the krbJAASFile property during database connections.
💻 Affected Systems
- Cloudera JDBC Connector for Hive
- Cloudera JDBC Connector for Impala
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to execute arbitrary commands on affected servers.
Likely Case
Data exfiltration, credential theft, and lateral movement within the network via compromised database connections.
If Mitigated
Limited impact with proper input validation and network segmentation preventing successful exploitation.
🎯 Exploit Status
Exploitation requires understanding of JNDI injection techniques and ability to control JDBC URL parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Hive connector 2.6.26+, Impala connector 2.6.35+
Vendor Advisory: https://www.cloudera.com/security-center/
Restart Required: No
Instructions:
1. Identify all applications using affected connectors. 2. Download updated connectors from Cloudera. 3. Replace old connector JAR files with patched versions. 4. Update application dependencies to reference new versions. 5. Test connectivity and functionality.
🔧 Temporary Workarounds
Input validation for JDBC URLs
allValidate and sanitize all JDBC URL parameters, especially krbJAASFile values, before passing to connectors.
Network segmentation
allRestrict network access to database servers and limit outbound connections from application servers.
🧯 If You Can't Patch
- Implement strict input validation on all JDBC URL parameters to prevent injection
- Use network controls to block outbound LDAP/RMI connections from application servers
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for hive-jdbc or impala-jdbc JAR files with versions below the patched versions.Check Version:
java -cp hive-jdbc-*.jar org.apache.hive.jdbc.HiveDriver (check JAR filename version)Verify Fix Applied:
Verify connector JAR files show version 2.6.26+ for Hive or 2.6.35+ for Impala in file metadata.📡 Detection & Monitoring
Log Indicators:
- Unusual LDAP or RMI connections from application servers
- Failed authentication attempts with malformed JDBC URLs
Network Indicators:
- Outbound LDAP/RMI connections from application servers to unknown external hosts
SIEM Query:
source="application_logs" AND (message="*krbJAASFile*" OR message="*JNDI*" OR message="*LDAP*" OR message="*RMI*")