Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-17152

Improve security of random generator for HS2 cookies

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0
    • HiveServer2
    • None

    Description

      The random number generated is used as a secret to append to a sequence and SHA to implement a CookieSigner. If this is attackable, then it's possible for an attacker to sign a cookie as if we had. We should fix this and use SecureRandom as a stronger random function .

      HTTPAuthUtils has a similar issue. If that is attackable, an attacker might be able to create a similar cookie. Paired with the above issue with the CookieSigner, it could reasonably spoof a HS2 cookie.

      Attachments

        1. HIVE-17152.1.patch
          2 kB
          Tao Li

        Activity

          People

            taoli-hwx Tao Li
            taoli-hwx Tao Li
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: