Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase >> mail # dev >> Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
I'm not sure why the CVE isn't published yet, but the details are
available here:

https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin

-Joey

On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <[EMAIL PROTECTED]> wrote:
> Failed to CC dev@, my apologies.
>
>
>
> ----- Forwarded Message -----
>
>> From: Andrew Purtell <[EMAIL PROTECTED]>
>> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>> Cc:
>> Sent: Friday, April 6, 2012 10:11 AM
>> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Details of the below vulnerability have not been released.
>>
>> Given that HBase security has as its foundation Apache Hadoop authentication, at
>> this time we must assume any secure HBase deployment is equally vulnerable.
>>
>> I will update you when more information is available.
>>
>>
>> Best regards,
>>
>>
>>     - Andy
>>
>> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
>> Tom White)
>>
>>
>>
>> ----- Forwarded Message -----
>>>  From: Aaron T. Myers <[EMAIL PROTECTED]>
>>>  To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
>> [EMAIL PROTECTED]; [EMAIL PROTECTED]
>>>  Cc:
>>>  Sent: Thursday, April 5, 2012 7:31 PM
>>>  Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>>
>>>  Hello,
>>>
>>>  Users of Apache Hadoop should be aware of a security vulnerability recently
>>>  discovered, as described by the following CVE. In particular, please note
>>>  the "Users affected", "Versions affected", and
>>>  "Mitigation" sections.
>>>
>>>  Best,
>>>  Aaron
>>>
>>>  --
>>>  Aaron T. Myers
>>>  Software Engineer, Cloudera
>>>
>>>  CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>
>>>  Severity: Critical
>>>
>>>  Vendor: The Apache Software Foundation
>>>
>>>  Versions Affected:
>>>  Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>>  Hadoop 1.0.0 to 1.0.1
>>>  Hadoop 0.23.0 to 0.23.1.
>>>
>>>  Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
>> security
>>>  features.
>>>
>>>  Impact: Vulnerability allows an authenticated malicious user to impersonate
>>>  any other user on the cluster.
>>>
>>>  Mitigation:
>>>  0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>>  0.23.x users should upgrade to 0.23.2 when it becomes available
>>>
>>>  Credit:
>>>  This issue was discovered by Aaron T. Myers of Cloudera.
>>>
>>

--
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.