Timing Attack Affecting org.apache.hive:hive-llap-common package, versions [,4.0.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHEHIVE-8663471
  • published28 Jan 2025
  • disclosed28 Jan 2025
  • creditAndrea Cosentino

Introduced: 28 Jan 2025

NewCVE-2024-23953  (opens in a new tab)
CWE-208  (opens in a new tab)

How to fix?

Upgrade org.apache.hive:hive-llap-common to version 4.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Timing Attack through the use of Arrays.equals() in LlapSignerImpl. An attacker can forge a valid signature for an arbitrary message byte by byte by exploiting the non-constant time comparison of message signatures, potentially leading to DDoS attack.

Note:

This is only exploitable if the attacker is an authorized user of the product.

CVSS Scores

version 4.0
version 3.1