CVE-2024-23945 – Apache Hive and Spark expose correct cookie sig... (How to Fix)

Q: What is the severity of CVE-2024-23945?

CVE-2024-23945 has a CVSS score of 5.9 (MEDIUM). Apache Hive and Spark expose correct cookie signatures during signature mismatch errors, potentially allowing attackers to forge valid signed cookies. This affects systems using Hive service or Spark Hive ThriftServer components. The vulnerability could lead to authentication bypass or session hijacking.

📋 TL;DR

Apache Hive and Spark expose correct cookie signatures during signature mismatch errors, potentially allowing attackers to forge valid signed cookies. This affects systems using Hive service or Spark Hive ThriftServer components. The vulnerability could lead to authentication bypass or session hijacking.

💻 Affected Systems

Products:

Apache Hive
Apache Spark

Versions: Hive 1.2.0+ (introduced by HIVE-9710), Spark 2.0.0+ (introduced by SPARK-14987)

Operating Systems: All operating systems running affected Hive/Spark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Hive service or Spark Hive ThriftServer components with cookie signing enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain valid cookie signatures and forge authenticated sessions, leading to unauthorized access, data manipulation, or privilege escalation.

🟠

Likely Case

Information disclosure of cookie signatures that could be used in combination with other vulnerabilities for session hijacking or authentication bypass.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and defense-in-depth controls that detect abnormal cookie activity.

🌐 Internet-Facing: MEDIUM - Internet-facing Hive/Spark services could expose cookie signatures to external attackers, but exploitation requires additional steps.

🏢 Internal Only: LOW - Internal-only deployments reduce exposure, but insider threats or compromised internal systems could still exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering signature mismatch errors and then using disclosed signatures to forge cookies. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific commits: Hive commit 7638cb1a3b07713cc490aa2909a37037f89e08b4, Spark commit cf59b1f51c16301f689b4e0f17ba4dbd140e1b19

Vendor Advisory: https://issues.apache.org/jira/browse/HIVE-9710

Restart Required: Yes

Instructions:

1. Update Apache Hive to version with fix commit 7638cb1a3b. 2. Update Apache Spark to version with fix commit cf59b1f51c. 3. Restart affected Hive service or Spark ThriftServer components.

🔧 Temporary Workarounds

Disable cookie signing

all

Temporarily disable cookie signing feature to prevent signature exposure

Configure hive.server2.use.SSL=false and adjust authentication settings

Network isolation

all

Restrict access to Hive/Spark services to trusted networks only

Use firewall rules to limit access to specific IP ranges

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to Hive/Spark services
Enable detailed logging and monitoring for cookie signature mismatch errors

🔍 How to Verify

Check if Vulnerable:

Check if running Hive 1.2.0+ or Spark 2.0.0+ with Hive ThriftServer, and verify if cookie signing is enabled in configuration.

Check Version:

For Hive: hive --version, For Spark: spark-submit --version

Verify Fix Applied:

Verify that the fix commits are present in your Hive/Spark installation and test that cookie signature mismatches no longer expose correct signatures.

📡 Detection & Monitoring

Log Indicators:

Cookie signature mismatch errors in Hive/Spark logs
Multiple failed authentication attempts with cookie errors

Network Indicators:

Unusual patterns of requests triggering authentication errors
Requests attempting to manipulate cookie signatures

SIEM Query:

source="hive.log" OR source="spark.log" AND ("signature mismatch" OR "cookie error" OR "authentication failure")

📊 Metadata

CVE ID: CVE-2024-23945

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-209

Published: December 23, 2024

Last Updated: July 14, 2025

🔗 References

https://github.com/apache/hive Product
https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4 Patch
https://github.com/apache/spark Product
https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Patch
https://issues.apache.org/jira/browse/HIVE-9710 Exploit,Issue Tracking,Patch,Vendor Advisory
https://issues.apache.org/jira/browse/SPARK-14987 Patch,Vendor Advisory
https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc Mailing List,Vendor Advisory
https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/23/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23945, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Hive by Apache

Spark by Apache

Spark by Apache

Spark by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable cookie signing

Network isolation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities