CVE-2016-6656 Code injection vulnerability via GPHDFS in Greenplum database
- Pivotal Greenplum 220.127.116.11 to 18.104.22.168
- Older versions that are end of life
Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser ‘gpadmin’ access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table.
Users of affected versions should apply the following mitigation:
- Users are advised to upgrade to Pivotal Greenplum version 22.214.171.124 or higher
- Users should audit access to the gpadmin privilege and make changes as necessary
- Users should audit GPHDFS privileges granted to non gpadmin users
- Users should audit existing GPHDFS external tables and ensure they exist for normal business purposes
The vulnerability was reported responsibly by Josiah Yan.