Hello - Was there a particular JIRA(s) that went into Hive 1.2.2 that fixed this issue? Thanks much. Ying
On Wed, May 24, 2017 at 3:56 PM, Vaibhav Gumashta <vgumas...@hortonworks.com > wrote: > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Hive 0.13.x > Apache Hive 0.14.x > Apache Hive 1.0.0 - 1.0.1 > Apache Hive 1.1.0 - 1.1.1 > Apache Hive 1.2.0 - 1.2.1 > Apache Hive 2.0.0 > > Description: > > Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP > connections (it supports both transport modes). While validating the > server’s certificate during the connection setup, the client doesn’t seem > to be verifying the common name attribute of the certificate. In this way, > if a JDBC client sends an SSL request to server abc.com, and the server > responds with a valid certificate (certified by CA) but issued to xyz.com, > the client will accept that as a valid certificate and the SSL handshake > will go through. > > Mitigation: > > Upgrade to Apache Hive 1.2.2 for 1.x release line, or to Apache Hive 2.0.1 > or later for 2.0.x release line, or to Apache Hive 2.1.0 and later for > 2.1.x release line. > > Credit: This issue was discovered by Branden Crawford from Inteco Systems > Limited (inetco.com). >
