Apache Hive SQL Injection Vulnerability in Metastore Server Thrift API

A SQL injection vulnerability has been identified in the Hive Metastore Server (HMS) versions 4.1.0 prior to 4.2.0. This vulnerability arises when HMS processes delete column statistics requests through the Thrift APIs. It can only be exploited by trusted or authorized users and applications that are permitted to directly call the Thrift APIs. In most real-world scenarios, HMS is only accessible to a limited number of applications, such as Hiveserver2, making this vulnerability generally non-exploitable. Additionally, the vulnerable code is not reached if the 'metastore.try.direct.sql' property is set to false.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database queries and potentially access or modify sensitive data.

Remediation

Users are advised to upgrade to Apache Hive version 4.2.0, which addresses this vulnerability. For those unable to upgrade, it is recommended to set the 'metastore.try.direct.sql' property to false if the HMS Thrift APIs are exposed to the public.