April 27, 2022 fixed issues
This release of the Cloudera Data Warehouse (CDW) service on CDP Public Cloud fixes these issues.
- CDPD-35041 Security Vulnerability with SSO for Hive Virtual Warehouses in CDW Public Cloud
- This release fixes the SSO-related problem that occurred only in Hive Virtual Warehouses in
Cloudera Data Warehouse version 2021.0.6-b96 released on March 8, 2022. This problem affected
tenants who had the CDW_ALLOW_SSO_FOR_LLAP entitlement. In a misconfigured Hive Virtual
Warehouse, unauthorized users who knew the JDBC connection string and had a valid userid, could
execute arbitrary SQL queries on a Hive Virtual Warehouse. This security vulnerability no
longer exists. Hive now properly handles the situation by using LDAP authentication as follows:
If SSO authentication is enabled for a Hive Virtual Warehouse and a user bypasses
authentication altogether by removing the
auth=browseroption from the JDBC connection string, Hive uses LDAP authentication.