[
https://issues.apache.org/jira/browse/HIVE-17152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107980#comment-16107980
]
Tao Li commented on HIVE-17152:
-------------------------------
All test failures except the below ones are tracked in HIVE-15058.
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testConcurrentStatements (batchId=228)
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testParallelCompilation2 (batchId=228)
Those 2 tests passed locally on my box. If they keep recurring, then we can add
them to HIVE-15058.
[~thejas] Can you please review the patch?
> Improve security of random generator for HS2 cookies
> ----------------------------------------------------
>
> Key: HIVE-17152
> URL: https://issues.apache.org/jira/browse/HIVE-17152
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Reporter: Tao Li
> Assignee: Tao Li
> Attachments: HIVE-17152.1.patch
>
>
> The random number generated is used as a secret to append to a sequence and
> SHA to implement a CookieSigner. If this is attackable, then it's possible
> for an attacker to sign a cookie as if we had. We should fix this and use
> SecureRandom as a stronger random function .
> HTTPAuthUtils has a similar issue. If that is attackable, an attacker might
> be able to create a similar cookie. Paired with the above issue with the
> CookieSigner, it could reasonably spoof a HS2 cookie.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
