hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ying Chen <ying.in...@gmail.com>
Subject Re: CVE-2016-3083: Apache Hive SSL vulnerability bug disclosure
Date Tue, 30 May 2017 19:35:38 GMT
Hello -
Was there a particular JIRA(s) that went into Hive 1.2.2 that fixed this
issue?
Thanks much.
Ying


On Wed, May 24, 2017 at 3:56 PM, Vaibhav Gumashta <vgumashta@hortonworks.com
> wrote:

> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Hive 0.13.x
> Apache Hive 0.14.x
> Apache Hive 1.0.0 - 1.0.1
> Apache Hive 1.1.0 - 1.1.1
> Apache Hive 1.2.0 - 1.2.1
> Apache Hive 2.0.0
>
> Description:
>
> Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP
> connections (it supports both transport modes). While validating the
> server’s certificate during the connection setup, the client doesn’t seem
> to be verifying the common name attribute of the certificate. In this way,
> if a JDBC client sends an SSL request to server abc.com, and the server
> responds with a valid certificate (certified by CA) but issued to xyz.com,
> the client will accept that as a valid certificate and the SSL handshake
> will go through.
>
> Mitigation:
>
> Upgrade to Apache Hive 1.2.2 for 1.x release line, or to Apache Hive 2.0.1
> or later for 2.0.x release line, or to Apache Hive 2.1.0 and later for
> 2.1.x release line.
>
> Credit: This issue was discovered by Branden Crawford from Inteco Systems
> Limited (inetco.com).
>

Mime
View raw message