Application Security Flaw in Apache Hive and Spark Affecting Cookie Signature Verification
CVE-2024-23945

Currently unrated

Key Information:

Vendor
Apache
Status
Apache Hive
Apache Spark
Vendor
CVE Published:
23 December 2024

Badges

📈 Score: 278📰 News Worthy

What is CVE-2024-23945?

CVE-2024-23945 is a security vulnerability found in Apache Hive and Apache Spark, two widely utilized open-source frameworks for big data processing and querying. This vulnerability affects the cookie signing feature, which is crucial for ensuring the integrity and authenticity of cookies used within applications. When a mismatch occurs in the signature of a cookie, the system inadvertently exposes the correct signature to the end user, potentially enabling malicious actors to exploit this information. The exposure can compromise the security of applications leveraging these frameworks, leading to unauthorized access and manipulated data.

Technical Details

The root of CVE-2024-23945 lies in the faulty CookieSigner logic introduced in Apache Hive version 1.2.0 and in Apache Spark version 2.0.0. Specifically, the issue occurs in the following components:

  • org.apache.hive:hive-service
  • org.apache.spark:spark-hive-thriftserver_2.11
  • org.apache.spark:spark-hive-thriftserver_2.12

The vulnerability is triggered during the verification process of signed cookies, where discrepancies between expected and actual signatures reveal sensitive information. As a result, this presents a risk that attackers could utilize the exposed signature for further attacks, undermining the security layer that cookies are meant to provide.

Potential impact of CVE-2024-23945

  1. Unauthorized Access: The exposure of valid cookie signatures can allow attackers to forge cookies, potentially granting them unauthorized access to sensitive user sessions and personal data.

  2. Data Integrity Compromise: With the capability to manipulate cookie values, attackers could interfere with data processing operations, leading to incorrect data being utilized and decisions based on compromised data.

  3. Exploitation Opportunities: Providing attackers with the means to exploit the application's cookie logic opens pathways for further vulnerabilities to be introduced, potentially leading to more severe security breaches within organizations utilizing these frameworks.

Affected Version(s)

Apache Hive 1.2.0 < 4.0.0

Apache Spark 2.0.0 < 3.0.0

Apache Spark 3.0.0 < 3.3.4

News Articles

favicon imageDatabricks

Open Source Security at Databricks

The Databricks Product Security team is deeply committed to ensuring the security and integrity of its products, which are built on top of and integrated with a variety of open source projects. Recognizing...

1 month ago

References

https://github.com/apache/hive
product
https://github.com/apache/spark
product
https://github.com/apache/spark/commit/cf59b1f51c16301f68...
patch

Timeline

  • 📰

    First article discovered by Databricks

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kostya Kortchinsky
Hamza Tahmi
.