CVE-2024-23945 - Signed Cookie Exposure in Apache Hive and Apache Spark due to Signature Mismatch

The CVE-2024-23945 vulnerability revolves around an application security feature known as "signing cookies." These signed cookies contain digital signatures that are used to verify the authenticity and integrity of cookie data, which helps to secure the cookie's value from being tampered with by bad actors. The vulnerability arises when Apache Hive and Apache Spark inadvertently reveal the signed cookie in cases where a mismatch occurs between the current and expected cookie signatures. In this long read post, we will explore the details of this vulnerability, including its history, the code snippet at the heart of the issue, and what developers can do to protect their applications.

History and Context

The vulnerable code logic governing signed cookie handling was introduced to Apache Hive in HIVE-971 (1.2.) (1) and into Apache Spark in SPARK-14987 (2..) (2). Components affected include org.apache.hive:hive-service (3), org.apache.spark:spark-hive-thriftserver_2.11 (4_), and org.apache.spark:spark-hive-thriftserver_2.12 (5).

(1) https://issues.apache.org/jira/browse/HIVE-971
(2) https://issues.apache.org/jira/browse/SPARK-14987
(3) https://mvnrepository.com/artifact/org.apache.hive/hive-service
(4) https://mvnrepository.com/artifact/org.apache.spark/spark-hive-thriftserver_2.11
(5) https://mvnrepository.com/artifact/org.apache.spark/spark-hive-thriftserver_2.12

Code Snippet

The issue at hand stems from the CookieSigner.java file, which was added to the Hive and Spark projects. Following is a snippet of code illustrating the vulnerability:

if (signature.equals(expectedSignature)) {
    return getUnsignedValue(cookieValue);
} else {
    LOG.warn("Expected " + expectedSignature + " but received a " +
        signature + " cookie:" + signedValue);
}

From the code above, we can see that the vulnerability is created when the if statement fails, the else branch logs the warning, and exposes the expected signature.

Exploit Details

By exposing the expected signature, it becomes easier for attackers to craft a malicious cookie that has the correct signature. As a result, the system interprets the cookie as legitimate, thereby allowing bad actors to exploit this flaw. Common attacks that exploit these types of vulnerabilities include session hijacking, privilege escalation, and unauthorized access to sensitive data.

Mitigation

To safeguard against this vulnerability, the Apache Hive and Apache Spark projects have provided patches and updates to their respective codebases that address the issue.

Developers utilizing these libraries should ensure they are using the latest version with the appropriate patches in place to help protect the applications they build. Keeping software updated and staying informed of ongoing security threats can help mitigate future risks.

Conclusion

CVE-2024-23945 is a significant vulnerability affecting Apache Hive and Apache Spark due to the inadvertent exposure of signed cookies when a signature mismatch occurs. It is critical for those utilizing these platforms to update their components to the latest versions with the provided patches and to remain vigilant in monitoring security developments.

Timeline

Published on: 12/23/2024 16:15:05 UTC
Last modified on: 03/19/2025 14:15:36 UTC