CVE-2024-23953 - Breaking Apache Hive's LlapSignerImpl Security Through Array Comparison Vulnerability

Apache Hive, the popular data warehousing solution built atop of Hadoop, has recently encountered a security vulnerability (CVE-2024-23953) that allows attackers to forge valid signatures for arbitrary messages byte by byte. The vulnerability affects the LlapSignerImpl class, leading to potential Distributed Denial of Service (DDoS) attacks. The attackers, however, should be authorized users of the Apache Hive product for executing this attack. Users are advised to upgrade to version 4.. or higher to fix this issue.

Exploit Details

This security vulnerability arises from the improper use of Java's built-in function, Arrays.equals(), in the LlapSignerImpl class of Apache Hive product. The Arrays.equals() method returns false as soon as it discovers a difference among the input's bytes. As a result, the time taken to compare arrays depends on their content, allowing attackers to forge valid signatures with a few non-privileged operations.

In this post, we'll examine the code snippet with the vulnerability, discuss its implications, and explore how upgrading to Apache Hive 4.. can help rectify the issue.

Below is the snippet of code in question from the LlapSignerImpl class

@Override
public boolean verify(byte[] message, byte[] signature) {
    byte[] sig = sign(message);
    return Arrays.equals(sig, signature);
}

In this function, sign() is called by passing the input message, and then the Arrays.equals() function is used to compare the computed signature with the given signature. Since Arrays.equals() doesn't utilize a constant-time algorithm for the comparison process, it leaves an opportunity for attackers to exploit the system by forging a valid signature for an arbitrary message byte by byte.

How the Exploit Works

An attacker, to gain unauthorized access or execute privilege escalation, can analyze the time response variation in the signature verification process. By measuring the response time of each byte comparison, the attacker can forge the desired signature. This can lead to unauthorized access and potential DDoS attacks if the malicious user submits selected signatures to LLAP without running as a privileged user.

Resolution

To mitigate this vulnerability, users are strongly encouraged to upgrade their Apache Hive installation to version 4.. or higher. The issue has been resolved in the newer version, providing a more secure environment for Apache Hive users.

Original References

- CVE-2024-23953 - Official CVE Details
- Apache Hive Security Advisory
- Apache Hive 4.. Release Information

Conclusion

The CVE-2024-23953 vulnerability in Apache Hive's LlapSignerImpl class can potentially allow attackers to forge valid signatures for arbitrary messages byte by byte. As a result, it could lead to unauthorized access to the system and DDoS attacks. It is crucial for users to upgrade their Apache Hive installation to version 4.. or higher, which includes the fix for this vulnerability.

Timeline

Published on: 01/28/2025 09:15:09 UTC
Last modified on: 03/14/2025 16:15:29 UTC