CVE-2024-23953

Name of the Vulnerable Software and Affected Versions Apache Hive versions prior to 4.0.0

Description The issue arises from the use of Arrays.equals() in LlapSignerImpl to compare message signatures, allowing an attacker to forge a valid signature for an arbitrary message byte by byte. This can occur when an application does not use a constant-time algorithm for validating a signature. The Arrays.equals() method returns false as soon as it encounters different bytes in the input, making the comparison time dependent on the array contents. This could enable malicious users to submit splits or work with selected signatures to LLAP without running as a privileged user, potentially leading to a DDoS attack. The attacker must be an authorized user of the product to perform this attack.

Recommendations Apache Hive versions prior to 4.0.0: Upgrade to version 4.0.0, which fixes this issue.