Re: CVE-2016-3083: Apache Hive SSL vulnerability bug disclosure

[Sergio Pena <sergio.pena () cloudera com>]

Hi Vaibhav,

Do you happen to know which JIRA or patches addressed this issue?

- Sergio

On Wed, May 24, 2017 at 5:56 PM, Vaibhav Gumashta <vgumashta () hortonworks com
> wrote:

> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Hive 0.13.x
> Apache Hive 0.14.x
> Apache Hive 1.0.0 - 1.0.1
> Apache Hive 1.1.0 - 1.1.1
> Apache Hive 1.2.0 - 1.2.1
> Apache Hive 2.0.0
>
> Description:
>
> Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP
> connections (it supports both transport modes). While validating the
> server's certificate during the connection setup, the client doesn't seem
> to be verifying the common name attribute of the certificate. In this way,
> if a JDBC client sends an SSL request to server abc.com, and the server
> responds with a valid certificate (certified by CA) but issued to xyz.com,
> the client will accept that as a valid certificate and the SSL handshake
> will go through.
>
> Mitigation:
>
> Upgrade to Apache Hive 1.2.2 for 1.x release line, or to Apache Hive 2.0.1
> or later for 2.0.x release line, or to Apache Hive 2.1.0 and later for
> 2.1.x release line.
>
> Credit: This issue was discovered by Branden Crawford from Inteco Systems
> Limited (inetco.com).