Apache Polaris Metadata Path Vulnerability Bypasses Location Validation

A vulnerability in Apache Polaris prior to version 1.4.1 allows users to bypass location validation when altering the 'write.metadata.path' property of a table. This issue arises because the change is processed without revalidating the storage location, potentially leading to unauthorized access or modification of data. The vulnerability is exacerbated if the catalog allows unstructured table locations and the admin-configured allowlist includes the attacker-chosen target.

Impact

Exploitation of this vulnerability allows for uncontrolled writes of metadata to user-specified locations, which can be used to manipulate or corrupt data. Additionally, if the location is later validated and accepted, it can lead to unauthorized access to cloud-storage credentials for that location, facilitating further data exposure or modification.

Reproduction

To reproduce this vulnerability, first ensure that the Apache Polaris catalog is configured to allow unstructured table locations and that the allowlist includes the target location. Then, register a table in the catalog and use an 'ALTER TABLE' command to change the 'write.metadata.path' property to a location not previously validated by Polaris. This will bypass the normal location validation process, allowing metadata to be written to the unchecked location.

Remediation

Users should update to Apache Polaris version 1.4.1 or later, where this vulnerability has been addressed.