[ https://issues.apache.org/jira/browse/HIVE-17152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107980#comment-16107980 ]
Tao Li commented on HIVE-17152: ------------------------------- All test failures except the below ones are tracked in HIVE-15058. org.apache.hive.jdbc.TestJdbcWithMiniHS2.testConcurrentStatements (batchId=228) org.apache.hive.jdbc.TestJdbcWithMiniHS2.testParallelCompilation2 (batchId=228) Those 2 tests passed locally on my box. If they keep recurring, then we can add them to HIVE-15058. [~thejas] Can you please review the patch? > Improve security of random generator for HS2 cookies > ---------------------------------------------------- > > Key: HIVE-17152 > URL: https://issues.apache.org/jira/browse/HIVE-17152 > Project: Hive > Issue Type: Bug > Components: HiveServer2 > Reporter: Tao Li > Assignee: Tao Li > Attachments: HIVE-17152.1.patch > > > The random number generated is used as a secret to append to a sequence and > SHA to implement a CookieSigner. If this is attackable, then it's possible > for an attacker to sign a cookie as if we had. We should fix this and use > SecureRandom as a stronger random function . > HTTPAuthUtils has a similar issue. If that is attackable, an attacker might > be able to create a similar cookie. Paired with the above issue with the > CookieSigner, it could reasonably spoof a HS2 cookie. -- This message was sent by Atlassian JIRA (v6.4.14#64029)