CVE-2022-41137
Published: 05 December 2024
Summary
CVE-2022-41137 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Hive. Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Hive Metastore (HMS) is affected by an unsafe deserialization flaw tracked as CVE-2022-41137. The component SerializationUtilities#deserializeObjectWithTypeInformation is invoked during partition filtering and retrieval operations, permitting deserialization of attacker-controlled data without sufficient type checks or validation and resulting in remote code execution. The issue is classified under CWE-502 and carries a CVSS 3.1 score of 8.3.
Only authenticated clients that have already established a connection to the Metastore can trigger the flaw. Successful exploitation allows the attacker to execute arbitrary code on the server; any caller of the unsafe method is exposed unless it implements its own input validation beforehand.
Public references point to a fix committed in the Apache Hive repository and tracked under HIVE-26539, along with coordinated disclosure through the Apache mailing lists and Openwall. The patch addresses the deserialization path, and operators are advised to apply the update or ensure callers perform explicit argument checks before invoking the method.
EPSS scores have remained low throughout the observation window, indicating limited observed exploitation activity to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3437
Vulnerability details
Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only…
more
by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.