CVE-2024-23945 Overview
CVE-2024-23945 is an information disclosure vulnerability affecting Apache Hive and Apache Spark's cookie signing functionality. Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation.
Apache Hive's service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation, potentially allowing attackers to forge valid cookies and bypass authentication mechanisms.
Critical Impact
The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (version 1.2.0) and in Apache Spark by SPARK-14987 (version 2.0.0), affecting org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver_2.11, and org.apache.spark:spark-hive-thriftserver_2.12 components.
Affected Products
- Apache Hive (versions 1.2.0 and later)
- Apache Spark (versions 2.0.0 and later)
- Apache Spark 3.5.0
Discovery Timeline
- December 23, 2024 - CVE-2024-23945 published to NVD
- July 14, 2025 - Last updated in NVD database
Technical Details for CVE-2024-23945
Vulnerability Analysis
This vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information). The core issue lies in the error handling behavior of the CookieSigner component within Apache Hive's service layer and Apache Spark's Hive ThriftServer.
When a client submits a cookie with an invalid or mismatched signature, the application's error response inadvertently includes the expected valid signature. This information disclosure allows an attacker to learn the correct cookie signature without having access to the secret signing key, effectively bypassing the cookie integrity protection mechanism.
The vulnerability requires network access to exploit but does not require authentication or user interaction. While the attack complexity is considered high due to the need to trigger the signature mismatch condition, successful exploitation can lead to high integrity impact as attackers could forge authenticated sessions.
Root Cause
The root cause stems from improper error message handling in the CookieSigner class. When signature validation fails, the error response includes the computed expected signature value rather than a generic error message. This violates the principle of not exposing sensitive cryptographic material in error responses.
The vulnerable logic was introduced in:
- Apache Hive through HIVE-9710 in version 1.2.0
- Apache Spark through SPARK-14987 in version 2.0.0
Attack Vector
The attack vector is network-based, targeting the Hive ThriftServer or Spark ThriftServer endpoints. An attacker would:
- Submit a request to the vulnerable service with a crafted cookie containing an intentionally invalid signature
- Capture the error response that leaks the expected valid signature
- Use the obtained signature to forge a valid cookie
- Replay the forged cookie to gain unauthorized access or impersonate other users
The vulnerability exploits a signature mismatch condition where the server reveals cryptographic secrets in its response. Since the ThriftServer components handle cookie-based authentication for client sessions, successful exploitation could allow session hijacking or authentication bypass.
Detection Methods for CVE-2024-23945
Indicators of Compromise
- Unusual cookie-related error responses from Hive or Spark ThriftServer containing signature data
- Repeated failed authentication attempts followed by successful authentication from the same source
- HTTP responses containing hexadecimal signature strings in error messages
- Anomalous session patterns where cookie values appear to be replayed or modified
Detection Strategies
- Monitor HTTP response bodies from Hive and Spark ThriftServer for signature exposure patterns
- Implement logging for cookie validation failures with source IP tracking
- Deploy web application firewall (WAF) rules to detect and block requests probing for signature disclosure
- Review application logs for CookieSigner-related exceptions that may indicate exploitation attempts
Monitoring Recommendations
- Enable detailed audit logging on Apache Hive and Spark ThriftServer components
- Configure alerts for abnormal rates of cookie validation failures from single sources
- Monitor for authentication anomalies following signature mismatch errors
- Implement network traffic analysis to detect potential replay attacks using forged cookies
How to Mitigate CVE-2024-23945
Immediate Actions Required
- Apply the official patches for Apache Hive and Apache Spark immediately
- Review and rotate any cookie signing secrets that may have been compromised
- Implement network segmentation to limit access to ThriftServer endpoints
- Enable enhanced logging to detect potential exploitation attempts before patching
Patch Information
Apache has released patches to address this vulnerability:
- Apache Hive: Apply commit 7638cb1a3b07713cc490aa2909a37037f89e08b4
- Apache Spark: Apply commit cf59b1f51c16301f689b4e0f17ba4dbd140e1b19
For detailed information, refer to the Apache Mailing List announcement and the OSS-Security discussion.
Workarounds
- Restrict network access to Hive and Spark ThriftServer endpoints to trusted networks only
- Implement reverse proxy or WAF rules to filter error responses containing sensitive signature data
- Consider disabling cookie-based authentication temporarily and using alternative authentication mechanisms if patching is delayed
- Deploy additional authentication layers such as mTLS for ThriftServer connections
# Configuration example: Restrict ThriftServer access via iptables
# Allow only trusted network ranges to access ThriftServer port (default 10000)
iptables -A INPUT -p tcp --dport 10000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j DROP
# For Spark ThriftServer (default port 10001)
iptables -A INPUT -p tcp --dport 10001 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 10001 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
