[HIVE-17152] Improve security of random generator for HS2 cookies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0
Component/s: HiveServer2
Labels:
None

Description

The random number generated is used as a secret to append to a sequence and SHA to implement a CookieSigner. If this is attackable, then it's possible for an attacker to sign a cookie as if we had. We should fix this and use SecureRandom as a stronger random function .

HTTPAuthUtils has a similar issue. If that is attackable, an attacker might be able to create a similar cookie. Paired with the above issue with the CookieSigner, it could reasonably spoof a HS2 cookie.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-17152.1.patch
21/Jul/17 18:50
2 kB
Tao Li

Activity

People

Assignee:: Tao Li

Reporter:: Tao Li

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Jul/17 18:48

Updated:: 22/May/18 23:58

Resolved:: 07/Sep/17 17:54