Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase, mail # user - Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Joey Echeverria 2012-04-06, 17:20
I don't know when the CVE will be published, but there are details
available  here:

https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin

-Joey

On Fri, Apr 6, 2012 at 10:11 AM, Andrew Purtell <[EMAIL PROTECTED]> wrote:
> Details of the below vulnerability have not been released.
>
> Given that HBase security has as its foundation Apache Hadoop authentication, at this time we must assume any secure HBase deployment is equally vulnerable.
>
> I will update you when more information is available.
>
>
> Best regards,
>
>
>     - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
>
>
>
> ----- Forwarded Message -----
>> From: Aaron T. Myers <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
>> Cc:
>> Sent: Thursday, April 5, 2012 7:31 PM
>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Hello,
>>
>> Users of Apache Hadoop should be aware of a security vulnerability recently
>> discovered, as described by the following CVE. In particular, please note
>> the "Users affected", "Versions affected", and
>> "Mitigation" sections.
>>
>> Best,
>> Aaron
>>
>> --
>> Aaron T. Myers
>> Software Engineer, Cloudera
>>
>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>> Severity: Critical
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>> Hadoop 1.0.0 to 1.0.1
>> Hadoop 0.23.0 to 0.23.1.
>>
>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
>> features.
>>
>> Impact: Vulnerability allows an authenticated malicious user to impersonate
>> any other user on the cluster.
>>
>> Mitigation:
>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>> Credit:
>> This issue was discovered by Aaron T. Myers of Cloudera.
>>

--
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.