CVE-2016-6656 Code injection vulnerability via GPHDFS in Greenplum database


Severity

Medium

Vendor

Pivotal

Versions Affected
  • Pivotal Greenplum 4.3.0.0 to 4.3.9.1
  • Older versions that are end of life
Description

Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser ‘gpadmin’ access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table.

Mitigation

Users of affected versions should apply the following mitigation:

  • Users are advised to upgrade to Pivotal Greenplum version 4.3.10.0 or higher
  • Users should audit access to the gpadmin privilege and make changes as necessary
  • Users should audit GPHDFS privileges granted to non gpadmin users
  • Users should audit existing GPHDFS external tables and ensure they exist for normal business purposes
Credit

The vulnerability was reported responsibly by Josiah Yan.

References