Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase, mail # dev - Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Joey Echeverria 2012-04-06, 17:58
If you're not running MapReduce, you're safe.

-Joey

On Fri, Apr 6, 2012 at 10:30 AM, Andrew Purtell <[EMAIL PROTECTED]> wrote:
> Thanks.
>
>
> The problem with that disclosure as written is it provided no information as the the nature of the vulnerability. And, as you mention, the CVE is 404.
>
>> "Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security  features."
>
> Well, we have enabled Hadoop's Kerberos security features. The additional qualification of "MapReduce" is there but there is insufficient context. So a broad reading is required.
>
>> "Impact: Vulnerability allows an authenticated malicious user to impersonate  any other user on the cluster."
>
> The implication given the lack of information is that Hadoop's Kerberos based authentication is worthless.
>
> Thankfully that is not the case, and HBase is not affected.
>
> Best regards,
>
>
>     - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
>
>
>
> ----- Original Message -----
>> From: Joey Echeverria <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]; Andrew Purtell <[EMAIL PROTECTED]>
>> Cc:
>> Sent: Friday, April 6, 2012 10:19 AM
>> Subject: Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> I'm not sure why the CVE isn't published yet, but the details are
>> available here:
>>
>> https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin
>>
>> -Joey
>>
>> On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <[EMAIL PROTECTED]>
>> wrote:
>>>  Failed to CC dev@, my apologies.
>>>
>>>
>>>
>>>  ----- Forwarded Message -----
>>>
>>>>  From: Andrew Purtell <[EMAIL PROTECTED]>
>>>>  To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>>>>  Cc:
>>>>  Sent: Friday, April 6, 2012 10:11 AM
>>>>  Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation
>> vulnerability
>>>>
>>>>  Details of the below vulnerability have not been released.
>>>>
>>>>  Given that HBase security has as its foundation Apache Hadoop
>> authentication, at
>>>>  this time we must assume any secure HBase deployment is equally
>> vulnerable.
>>>>
>>>>  I will update you when more information is available.
>>>>
>>>>
>>>>  Best regards,
>>>>
>>>>
>>>>      - Andy
>>>>
>>>>  Problems worthy of attack prove their worth by hitting back. - Piet
>> Hein (via
>>>>  Tom White)
>>>>
>>>>
>>>>
>>>>  ----- Forwarded Message -----
>>>>>   From: Aaron T. Myers <[EMAIL PROTECTED]>
>>>>>   To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
>>>>  [EMAIL PROTECTED]; [EMAIL PROTECTED]
>>>>>   Cc:
>>>>>   Sent: Thursday, April 5, 2012 7:31 PM
>>>>>   Subject: [CVE-2012-1574] Apache Hadoop user impersonation
>> vulnerability
>>>>>
>>>>>   Hello,
>>>>>
>>>>>   Users of Apache Hadoop should be aware of a security vulnerability
>> recently
>>>>>   discovered, as described by the following CVE. In particular,
>> please note
>>>>>   the "Users affected", "Versions affected", and
>>>>>   "Mitigation" sections.
>>>>>
>>>>>   Best,
>>>>>   Aaron
>>>>>
>>>>>   --
>>>>>   Aaron T. Myers
>>>>>   Software Engineer, Cloudera
>>>>>
>>>>>   CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>>>
>>>>>   Severity: Critical
>>>>>
>>>>>   Vendor: The Apache Software Foundation
>>>>>
>>>>>   Versions Affected:
>>>>>   Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>>>>   Hadoop 1.0.0 to 1.0.1
>>>>>   Hadoop 0.23.0 to 0.23.1.
>>>>>
>>>>>   Users affected: Users who have enabled Hadoop's
>> Kerberos/MapReduce
>>>>  security
>>>>>   features.
>>>>>
>>>>>   Impact: Vulnerability allows an authenticated malicious user to
>> impersonate
>>>>>   any other user on the cluster.
>>>>>
>>>>>   Mitigation:
>>>>>   0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>>>>   0.23.x users should upgrade to 0.23.2 when it becomes available
>>>>>
>>>>>   Credit:
>>>>>   This issue was discovered by Aaron T. Myers of Cloudera.
>>>>>
>>>>
>>
>>
>>
>> --
>> Joey Echeverria
>> Senior Solutions Architect
>> Cloudera, Inc.

Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.