Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop, mail # general - [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Andrew Purtell 2012-04-06, 17:19
I received off list communication that the fix is here: https://github.com/apache/hadoop-common/commit/fda454
Thank you, this is the missing disclosure we were looking for.
I did not go so far back in time as >~ 21 days because the announcement was made today, so missed it.
So there is additional mitigation possible, for example, a user can patch task-controller quite readily and roll out an emergency upgrade.
Best regards,
    - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)

----- Original Message -----
> From: Andrew Purtell <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>; "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Cc:
> Sent: Friday, April 6, 2012 10:02 AM
> Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
>T his is not a helpful disclosure.
>
> Now we know our "secure" deployment is vulnerable, but have no idea
> how to mitigate. Claiming an upgrade to a nonexistent version with an,
> apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA for
> this?
>
> Best regards,
>
>
>     - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
> Tom White)
>
>
>
> ----- Original Message -----
>>  From: Aaron T. Myers <[EMAIL PROTECTED]>
>>  To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED]
>>  Cc:
>>  Sent: Thursday, April 5, 2012 7:31 PM
>>  Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>>  Hello,
>>
>>  Users of Apache Hadoop should be aware of a security vulnerability recently
>>  discovered, as described by the following CVE. In particular, please note
>>  the "Users affected", "Versions affected", and
>>  "Mitigation" sections.
>>
>>  Best,
>>  Aaron
>>
>>  --
>>  Aaron T. Myers
>>  Software Engineer, Cloudera
>>
>>  CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>>  Severity: Critical
>>
>>  Vendor: The Apache Software Foundation
>>
>>  Versions Affected:
>>  Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>  Hadoop 1.0.0 to 1.0.1
>>  Hadoop 0.23.0 to 0.23.1.
>>
>>  Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
> security
>>  features.
>>
>>  Impact: Vulnerability allows an authenticated malicious user to impersonate
>>  any other user on the cluster.
>>
>>  Mitigation:
>>  0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>  0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>>  Credit:
>>  This issue was discovered by Aaron T. Myers of Cloudera.
>>
>