SSL Certificate Verification Issue in Apache Hive by The Apache Software Foundation
CVE-2016-3083

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 30 May 2017

Summary

A problematic SSL certificate validation in Apache Hive versions prior to 1.2.2 and 2.0.x prior to 2.0.1 permits a JDBC client to accept an SSL certificate without correctly verifying the common name attribute. This implies that an attacker could potentially exploit this oversight by providing a valid SSL certificate issued for a different domain, allowing for a successful SSL handshake and unauthorized access to sensitive information.

Affected Version(s)

Apache Hive 0.11.0 - 0.14.0

Apache Hive 1.0.0 - 1.2.1

Apache Hive 2.0.0

References

https://lists.apache.org/thread.html/0851bcf85635385f94cd...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/98669

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 30, 2017
Vulnerability Reserved
Mar 10, 2016