hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tao Li (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HIVE-17152) Improve security of random generator for HS2 cookies
Date Fri, 21 Jul 2017 18:49:00 GMT
Tao Li created HIVE-17152:
-----------------------------

             Summary: Improve security of random generator for HS2 cookies
                 Key: HIVE-17152
                 URL: https://issues.apache.org/jira/browse/HIVE-17152
             Project: Hive
          Issue Type: Bug
            Reporter: Tao Li
            Assignee: Tao Li


The random number generated is used as a secret to append to a sequence and SHA to implement
a CookieSigner. If this is attackable, then it's possible for an attacker to sign a cookie
as if we had. We should fix this and use SecureRandom as a stronger random function .

HTTPAuthUtils has a similar issue. If that is attackable, an attacker might be able to create
a similar cookie. Paired with the above issue with the CookieSigner, it could reasonably spoof
a HS2 cookie.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message