Timing Attack in Apache Hive Allows Signature Forgery by Authorized Users
CVE-2024-23953

6.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Hive
Vendor
CVE Published:
28 January 2025

Summary

A vulnerability in Apache Hive's LlapSignerImpl allows an attacker, who is already an authorized user, to forge valid signatures for arbitrary messages by exploiting the non-constant time behavior of the Arrays.equals() method. This flaw permits attackers to manipulate message validation, potentially leading to malicious submissions to LLAP. The associated issue could enable unauthorized activities, such as Denial of Service (DDoS) attacks, as it relies on the differences in signature comparison times. Users are strongly advised to upgrade to version 4.0.0 or later to mitigate this risk.

Affected Version(s)

Apache Hive 2.2.0 < 4.0.0

References

https://github.com/apache/hive
product
https://github.com/apache/hive/commit/b418e3c9f479ba8e7d3...
patch
https://issues.apache.org/jira/browse/HIVE-28030
issue-tracking

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Cosentino
.