CVE-2024-23945— Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails

Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12

N/A

通过错误消息导致的信息暴露

Apache Hive和Apache Spark 安全漏洞

Apache Hive和Apache Spark都是美国阿帕奇（Apache）基金会的产品。Apache Hive是一套基于Hadoop（分布式系统基础架构）的数据仓库软件。该软件提供了一个数据集成方法和一种高级的查询语言，以支持在Hadoop上进行大规模数据分析。Apache Spark是一款支持非循环数据流和内存计算的大规模数据处理引擎。 Apache Hive和Apache Spark存在安全漏洞，该漏洞源于当当前 Cookie 和预期 Cookie 的签名不匹配时，Apache Hive 的服务组

N/A

N/A