CVE-2024-23945: Serious Vulnerability in Apache Hive and Spark Could Lead to Exploitation
A newly disclosed vulnerability, CVE-2024-23945, with a CVSS score of 8.7, has been identified in Apache Hive and Apache Spark, two widely used systems for large-scale data processing and analytics. The flaw, which affects the CookieSigner mechanism, poses a significant security risk by exposing valid cookie signatures when message verification fails. This oversight could potentially enable malicious actors to exploit the system further.
The vulnerability lies within the CookieSigner component, a security feature designed to protect cookie integrity. “Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity,” the official description explains. However, in this case, “Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie.”
This accidental exposure of the correct cookie signature, even when verification fails, provides attackers with valuable information that can be used to forge valid cookies and bypass security measures.
The vulnerability affects a wide range of Apache Hive and Spark versions:
- Apache Hive: 1.2.0 before 4.0.0
- Apache Spark: 2.0.0 before 3.0.0, 3.0.0 before 3.3.4, 3.4.0 before 3.4.2, and 3.5.0
The vulnerable components, including org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver_2.11, and org.apache.spark:spark-hive-thriftserver_2.12, are widely used in big data processing and analytics.
Organizations relying on Apache Hive or Spark are urged to update their systems to the latest patched versions immediately. Failing to do so could leave them vulnerable to serious security breaches.