CVE-2024-23953
Signature Forgery vulnerability in hive-llap-common (Maven)
What is CVE-2024-23953 About?
A vulnerability in Apache Hive (LlapSignerImpl) allows authorized attackers to forge valid signatures for arbitrary messages byte by byte. This is due to the use of `Arrays.equals()` for signature comparison, which has a time-dependent execution, enabling timing attacks. This flaw can lead to denial of service by allowing malicious submissions to LLAP without proper authorization, which is moderately complex to exploit.
Affected Software
Technical Details
The vulnerability in LlapSignerImpl in Apache Hive stems from the use of Arrays.equals() to compare message signatures. Unlike a constant-time comparison algorithm, Arrays.equals() returns false as soon as a differing byte is encountered, meaning the comparison time is directly dependent on the content of the arrays. An authorized attacker can exploit this timing discrepancy in a side-channel attack (specifically, a timing attack) to determine the correct signature byte by byte. By observing the subtle differences in response times for each byte of the forged signature, the attacker can iteratively deduce the valid signature, allowing them to forge signatures for arbitrary messages and submit them to LLAP without the necessary privileges.
What is the Impact of CVE-2024-23953?
Successful exploitation may allow authorized attackers to forge valid signatures for arbitrary messages, leading to unauthorized operations within the system and potentially enabling Denial of Service attacks on LLAP resources.
What is the Exploitability of CVE-2024-23953?
Exploitation of this vulnerability requires the attacker to be an authorized user of Apache Hive. The method involves conducting a timing attack to forge signatures byte by byte, which implies measuring response times. This makes the exploitation complex, as it requires careful observation and analysis of timing differences, potentially over many attempts. The attack is likely remote if an attacker can interact with the signature validation process over a network. There are no explicit privilege requirements beyond being an authorized user. The constraint is that the vulnerability is specifically within LlapSignerImpl during signature comparison. Risk factors include the availability of accurate timing information to the attacker and the attacker's ability to trigger signature validations repeatedly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-23953?
Available Upgrade Options
- org.apache.hive:hive-llap-common
- <4.0.0 → Upgrade to 4.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/hive
- https://lists.apache.org/thread/0nloywj49nbtlc6l3c6363qvq7o1ztb7
- http://www.openwall.com/lists/oss-security/2025/01/28/3
- https://nvd.nist.gov/vuln/detail/CVE-2024-23953
- https://github.com/apache/hive/commit/b418e3c9f479ba8e7d31e6470306111002ffa809
- https://issues.apache.org/jira/browse/HIVE-28030
- https://github.com/apache/hive
- https://lists.apache.org/thread/0nloywj49nbtlc6l3c6363qvq7o1ztb7
- https://blog.gypsyengineer.com/en/security/preventing-timing-attacks-with-codeql.html
- https://cqr.company/web-vulnerabilities/timing-attacks
What are Similar Vulnerabilities to CVE-2024-23953?
Similar Vulnerabilities: CVE-2023-28156 , CVE-2023-27043 , CVE-2022-40768 , CVE-2022-26365 , CVE-2021-3923
