-[CVE-2012-3376] Apache Hadoop HDFS information disclosure vulnerability
Aaron T. Myers 2012-07-06, 19:01
-----BEGIN PGP SIGNED MESSAGE-----
Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note the
"Users affected", "Versions affected", and "Mitigation" sections.
The project team will be announcing a release vote shortly for Apache Hadoop
2.0.1-alpha, which will be comprised of the contents of Apache Hadoop
2.0.0-alpha, this security patch, and a few patches for YARN.
Aaron T. Myers
Software Engineer, Cloudera
CVE-2012-3376: Apache Hadoop HDFS information disclosure vulnerability
Vendor: The Apache Software Foundation
Versions Affected: Hadoop 2.0.0-alpha
Users who have enabled Hadoop's Kerberos/HDFS security features.
Malicious clients may gain write access to data for which they have read-only
permission, or gain read access to any data blocks whose IDs they can
When Hadoop's security features are enabled, clients authenticate to DataNodes
using BlockTokens issued by the NameNode to the client. The DataNodes are able
to verify the validity of a BlockToken, and will reject BlockTokens that were
not issued by the NameNode. The DataNode determines whether or not it should
check for BlockTokens when it registers with the NameNode.
Due to a bug in the DataNode/NameNode registration process, a DataNode which
registers more than once for the same block pool will conclude that it
thereafter no longer needs to check for BlockTokens sent by clients. That is,
the client will continue to send BlockTokens as part of its communication with
DataNodes, but the DataNodes will not check the validity of the tokens. A
DataNode will register more than once for the same block pool whenever the
NameNode restarts, or when HA is enabled.
Users of 2.0.0-alpha should immediately apply the patch provided below to their
systems. Users should upgrade to 2.0.1-alpha as soon as it becomes available.
Credit: This issue was discovered by Aaron T. Myers of Cloudera.
A signed patch against Apache Hadoop 2.0.0-alpha for this issue can be found
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
-----END PGP SIGNATURE-----