CVE-2024-23945: 
Java vulnerability analysis and mitigation

CVE-2024-23945 is a security vulnerability affecting Apache Hive and Apache Spark's CookieSigner mechanism. The vulnerability was discovered and disclosed on December 23, 2024, impacting Apache Hive versions 1.2.0 before 4.0.0, and Apache Spark versions 2.0.0 before 3.0.0, 3.0.0 before 3.3.4, 3.4.0 before 3.4.2, and 3.5.0. The affected components include org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver2.11, and org.apache.spark:spark-hive-thriftserver2.12 (OSS Security).

The vulnerability exists in the CookieSigner component, which is designed to add digital signatures to cookie data for verifying authenticity and integrity. When there is a mismatch between the current and expected cookie signatures, Apache Hive's service component inadvertently exposes the signed cookie to the end user. The vulnerable CookieSigner logic was initially introduced in Apache Hive through HIVE-9710 (version 1.2.0) and in Apache Spark through SPARK-14987 (version 2.0.0). The vulnerability has been assigned a CVSS score of 8.7, indicating a high severity level (Security Online).

The exposure of the correct cookie signature when verification fails can lead to further exploitation. This vulnerability compromises the security mechanism designed to prevent malicious actors from modifying cookie values, potentially enabling attackers to bypass authentication controls and exploit the system (NVD).

Organizations using affected versions of Apache Hive or Spark are strongly advised to update their systems to the latest patched versions. The vulnerability has been addressed through commits in both Apache Hive (7638cb1a3b07713cc490aa2909a37037f89e08b4) and Apache Spark (cf59b1f51c16301f689b4e0f17ba4dbd140e1b19) repositories (OSS Security).