You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Tao Li (JIRA)" <ji...@apache.org> on 2017/07/21 18:49:00 UTC
[jira] [Created] (HIVE-17152) Improve security of random generator
for HS2 cookies
Tao Li created HIVE-17152:
-----------------------------
Summary: Improve security of random generator for HS2 cookies
Key: HIVE-17152
URL: https://issues.apache.org/jira/browse/HIVE-17152
Project: Hive
Issue Type: Bug
Reporter: Tao Li
Assignee: Tao Li
The random number generated is used as a secret to append to a sequence and SHA to implement a CookieSigner. If this is attackable, then it's possible for an attacker to sign a cookie as if we had. We should fix this and use SecureRandom as a stronger random function .
HTTPAuthUtils has a similar issue. If that is attackable, an attacker might be able to create a similar cookie. Paired with the above issue with the CookieSigner, it could reasonably spoof a HS2 cookie.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)