PT-2017-8326 · Apache · Apache Hive
Branden Crawford
·
Published
2017-05-30
·
Updated
2019-03-14
·
CVE-2016-3083
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Hive versions prior to 1.2.2
Apache Hive versions 2.0.x prior to 2.0.1
Description
The issue arises during the validation of the server's certificate in the connection setup. The client fails to verify the common name attribute of the certificate. This allows a scenario where a JDBC client sending an SSL request to a server, for example,
abc.com, will accept a valid certificate issued to a different domain, such as xyz.com, as long as it is certified by a CA. This compromises the security of the SSL handshake.Recommendations
For Apache Hive versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue.
For Apache Hive versions 2.0.x prior to 2.0.1, update to version 2.0.1 or later to resolve the issue.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Hive