Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # general >> [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
I received off list communication that the fix is here: https://github.com/apache/hadoop-common/commit/fda454
Thank you, this is the missing disclosure we were looking for.
I did not go so far back in time as >~ 21 days because the announcement was made today, so missed it.
So there is additional mitigation possible, for example, a user can patch task-controller quite readily and roll out an emergency upgrade.
Best regards,
    - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)

----- Original Message -----
> From: Andrew Purtell <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>; "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Cc:
> Sent: Friday, April 6, 2012 10:02 AM
> Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
>T his is not a helpful disclosure.
>
> Now we know our "secure" deployment is vulnerable, but have no idea
> how to mitigate. Claiming an upgrade to a nonexistent version with an,
> apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA for
> this?
>
> Best regards,
>
>
>     - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
> Tom White)
>
>
>
> ----- Original Message -----
>>  From: Aaron T. Myers <[EMAIL PROTECTED]>
>>  To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED]
>>  Cc:
>>  Sent: Thursday, April 5, 2012 7:31 PM
>>  Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>>  Hello,
>>
>>  Users of Apache Hadoop should be aware of a security vulnerability recently
>>  discovered, as described by the following CVE. In particular, please note
>>  the "Users affected", "Versions affected", and
>>  "Mitigation" sections.
>>
>>  Best,
>>  Aaron
>>
>>  --
>>  Aaron T. Myers
>>  Software Engineer, Cloudera
>>
>>  CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>>  Severity: Critical
>>
>>  Vendor: The Apache Software Foundation
>>
>>  Versions Affected:
>>  Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>  Hadoop 1.0.0 to 1.0.1
>>  Hadoop 0.23.0 to 0.23.1.
>>
>>  Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
> security
>>  features.
>>
>>  Impact: Vulnerability allows an authenticated malicious user to impersonate
>>  any other user on the cluster.
>>
>>  Mitigation:
>>  0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>  0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>>  Credit:
>>  This issue was discovered by Aaron T. Myers of Cloudera.
>>
>
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB