Did you ever wonder if your app’s signed cookies are really safe?
Let’s talk about CVE-2024-23945: a major info disclosure bug in Apache Hive and Apache Spark that could put your data at risk—with code examples and everything you need to understand and spot the flaw.
Quick Recap: What Are Signed Cookies?
A signed cookie is just a cookie with a digital signature attached.
Why? So attackers can’t freely tamper with cookie data. When a server creates a cookie, it calculates a signature (using something like HMAC and a secret key), storing both the value and the signature in the cookie.
Every time it reads the cookie, the server checks the signature to make sure the value hasn’t been changed.
Example structure
cookie_value|signature
What Went Wrong in Apache Hive & Spark?
In some versions of Apache Hive and Apache Spark Hive ThriftServer, a botched signature results in the *correct, server-generated* signature being sent back to the user—even if the signature was invalid.
Bad: If validation fails, app tells the user what the signature should have been.
If an attacker tampers with the cookie and triggers this logic, they get a *correct signature* back.
This completely breaks the point of signing the cookie.
Vulnerable Modules
- org.apache.hive:hive-service (since Hive 1.2. / HIVE-971)
- org.apache.spark:spark-hive-thriftserver_2.11 (since Spark 2.. / SPARK-14987)
Reference Links
- CVE-2024-23945 at NVD
- Apache Hive Security Advisory HIVE-27668
- Spark security advisory SPARK-45677
Attacker uses this information to forge cookies with valid signatures in the future.
End result: Attackers can fake any cookie value and sign it with a *genuine* signature, opening the door to privilege escalation, data theft, or session hijack.
Here’s a pseudocode version of what goes wrong
public class CookieSigner {
String sign(String data) {
// Simplified: computes HMAC-SHA256
return Base64.encode(hmac(secretKey, data));
}
boolean verify(String data, String signature) {
String expected = sign(data);
if (!expected.equals(signature)) {
// VULNERABLE: Leaks the correct signature
return sendToUser("Signature mismatch. Expected: " + expected);
}
return true;
}
}
What’s wrong? The server response tells the client the exact valid signature (that only the server should know).
spark-hive-thriftserver_2.11 or _2.12 >= 2.. < patched
Try tampering a session cookie and see if the server responds with the correct signature or other signing info.
Example patched logic
if (!expected.equals(signature)) {
// Do not include the 'expected' signature in any user-facing output!
throw new UnauthorizedException("Signature mismatch.");
}
Final Thoughts
Signed cookies are great—until you leak the magic string that makes them secure.
With CVE-2024-23945 affecting some of the most popular analytics stacks, it’s vital to patch up, check your audit logs, and never, ever reveal your digital signature secrets to the client.
Stay safe, stay sharp!
Further Reading:
- Session Security Best Practices (OWASP)
- HIVE-27668 Jira
- SPARK-45677 Jira
*This exclusive guide was created for a technical audience seeking clarity on CVE-2024-23945’s real-world impact and exploitation.*
Timeline
Published on: 12/23/2024 16:15:05 UTC
Last modified on: 03/19/2025 14:15:36 UTC