Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase >> mail # user >> Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
I don't know when the CVE will be published, but there are details
available  here:

https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin

-Joey

On Fri, Apr 6, 2012 at 10:11 AM, Andrew Purtell <[EMAIL PROTECTED]> wrote:
> Details of the below vulnerability have not been released.
>
> Given that HBase security has as its foundation Apache Hadoop authentication, at this time we must assume any secure HBase deployment is equally vulnerable.
>
> I will update you when more information is available.
>
>
> Best regards,
>
>
>     - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
>
>
>
> ----- Forwarded Message -----
>> From: Aaron T. Myers <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
>> Cc:
>> Sent: Thursday, April 5, 2012 7:31 PM
>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Hello,
>>
>> Users of Apache Hadoop should be aware of a security vulnerability recently
>> discovered, as described by the following CVE. In particular, please note
>> the "Users affected", "Versions affected", and
>> "Mitigation" sections.
>>
>> Best,
>> Aaron
>>
>> --
>> Aaron T. Myers
>> Software Engineer, Cloudera
>>
>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>> Severity: Critical
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>> Hadoop 1.0.0 to 1.0.1
>> Hadoop 0.23.0 to 0.23.1.
>>
>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
>> features.
>>
>> Impact: Vulnerability allows an authenticated malicious user to impersonate
>> any other user on the cluster.
>>
>> Mitigation:
>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>> Credit:
>> This issue was discovered by Aaron T. Myers of Cloudera.
>>

--
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB