hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tao Li (JIRA)" <>
Subject [jira] [Commented] (HIVE-17152) Improve security of random generator for HS2 cookies
Date Mon, 31 Jul 2017 21:26:00 GMT


Tao Li commented on HIVE-17152:

All test failures except the below ones are tracked in HIVE-15058.

org.apache.hive.jdbc.TestJdbcWithMiniHS2.testConcurrentStatements (batchId=228)
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testParallelCompilation2 (batchId=228)

Those 2 tests passed locally on my box. If they keep recurring, then we can add them to HIVE-15058.

[~thejas] Can you please review the patch?

> Improve security of random generator for HS2 cookies
> ----------------------------------------------------
>                 Key: HIVE-17152
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Tao Li
>            Assignee: Tao Li
>         Attachments: HIVE-17152.1.patch
> The random number generated is used as a secret to append to a sequence and SHA to implement
a CookieSigner. If this is attackable, then it's possible for an attacker to sign a cookie
as if we had. We should fix this and use SecureRandom as a stronger random function .
> HTTPAuthUtils has a similar issue. If that is attackable, an attacker might be able to
create a similar cookie. Paired with the above issue with the CookieSigner, it could reasonably
spoof a HS2 cookie.

This message was sent by Atlassian JIRA

View raw message