[jira] [Updated] (HIVE-17152) Improve security of random generator for HS2 cookies

Tao Li (JIRA) Mon, 31 Jul 2017 14:17:23 -0700

     [ 
https://issues.apache.org/jira/browse/HIVE-17152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Tao Li updated HIVE-17152:
--------------------------
    Status: Patch Available  (was: Open)

> Improve security of random generator for HS2 cookies
> ----------------------------------------------------
>
>                 Key: HIVE-17152
>                 URL: https://issues.apache.org/jira/browse/HIVE-17152
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Tao Li
>            Assignee: Tao Li
>         Attachments: HIVE-17152.1.patch
>
>
> The random number generated is used as a secret to append to a sequence and 
> SHA to implement a CookieSigner. If this is attackable, then it's possible 
> for an attacker to sign a cookie as if we had. We should fix this and use 
> SecureRandom as a stronger random function .
> HTTPAuthUtils has a similar issue. If that is attackable, an attacker might 
> be able to create a similar cookie. Paired with the above issue with the 
> CookieSigner, it could reasonably spoof a HS2 cookie.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (HIVE-17152) Improve security of random generator for HS2 cookies

Reply via email to