CVE-2024-23953

Summary

CVE-2024-23953 is a vulnerability affecting Apache Hive's LlapSignerImpl component. An attacker, with authorized access, can manipulate message signatures by exploiting the use of Arrays.equals() method for comparison. This vulnerability allows an attacker to forge valid signatures for arbitrary messages byte by byte, possibly enabling unauthorized access to LLAP and leading to Denial of Service attacks. The issue stems from the application's failure to employ constant-time algorithms for signature validation. Affected users are advised to upgrade to version 4.0.0 for a fix.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.