Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2016-3083

UNKNOWN
Published 2017-05-30T14:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2016-3083. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Hive

Affected Versions:

0.11.0 - 0.14.0 1.0.0 - 1.2.1 2.0.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation

GHSA-gf2v-9hp6-44qg

Advisory Details

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

Affected Packages

Maven org.apache.hive:hive
ECOSYSTEM: ≥0 <1.2.2
Maven org.apache.hive:hive
ECOSYSTEM: ≥2.0.0 <2.0.1
Maven org.apache.hive:hive-service
ECOSYSTEM: ≥0 <1.2.2
Maven org.apache.hive:hive-service
ECOSYSTEM: ≥2.0.0 <2.0.1
Maven org.apache.hive:hive-exec
ECOSYSTEM: ≥0 <1.2.2
Maven org.apache.hive:hive-exec
ECOSYSTEM: ≥2.0.0 <2.0.1

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-3083
ADVISORY https://github.com/advisories/GHSA-gf2v-9hp6-44qg
WEB https://lists.apache.org/thread.html/0851bcf85635385f94cdaa008053802d92b4aab0a3075e30ed171192@%3Cdev.hive.apache.org%3E
WEB http://www.securityfocus.com/bid/98669

Advisory provided by GitHub Security Advisory Database. Published: March 14, 2019, Modified: September 17, 2022

References

https://lists.apache.org/thread.html/0851bcf85635385f94cdaa008053802d92b4aab0a3075e30ed171192%40%3Cdev.hive.apache.org%3E
http://www.securityfocus.com/bid/98669
Published: 2017-05-30T14:00:00
Last Modified: 2024-08-05T23:40:15.584Z
Copied to clipboard!