CVE-2016-3083

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 30 May 2017

Summary

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

Affected Version(s)

Apache Hive 0.11.0 - 0.14.0

Apache Hive 1.0.0 - 1.2.1

Apache Hive 2.0.0

References

https://lists.apache.org/thread.html/0851bcf85635385f94cd...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/98669

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 30, 2017
Vulnerability Reserved
Mar 10, 2016