Return-Path: X-Original-To: apmail-hadoop-common-dev-archive@www.apache.org Delivered-To: apmail-hadoop-common-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 287F51028F for ; Fri, 23 Aug 2013 21:18:37 +0000 (UTC) Received: (qmail 34437 invoked by uid 500); 23 Aug 2013 21:18:28 -0000 Delivered-To: apmail-hadoop-common-dev-archive@hadoop.apache.org Received: (qmail 34257 invoked by uid 500); 23 Aug 2013 21:18:28 -0000 Mailing-List: contact common-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-dev@hadoop.apache.org Received: (qmail 34085 invoked by uid 99); 23 Aug 2013 21:18:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Aug 2013 21:18:28 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of atm@cloudera.com designates 74.125.83.52 as permitted sender) Received: from [74.125.83.52] (HELO mail-ee0-f52.google.com) (74.125.83.52) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Aug 2013 21:18:22 +0000 Received: by mail-ee0-f52.google.com with SMTP id c41so515822eek.11 for ; Fri, 23 Aug 2013 14:18:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:content-type; bh=U6kKJkiw4gNdt/DmZOiD8K/qDUM7UAinEJvDdbf8Tz4=; b=I0zNvJUmsIpl+9PPUQtQlPr9cDlmstryjhwQzow0s3qCQCYhNG2sJmq04OBTyEUVUk hjRQNnCugCdQsLSbtARgMRO+queuxPKCn8/7oiM6LxIAibscx988qwSiayOzyQwB5fOq IVJTvrCYoA54xkaf7HMAIeOujDalDVs0Ls3mLOriAwGgeei6l9djgN+16O+Y0Uhg1FnG niTSsCwVcrQMwxA7tea+67djkj4PbbZ/tJ6GNeM1fnXKq05ZmveGowurMuE0kUsLb4Ih 3a8fA4nm5wxagsneixMKmXVUuhKdpV6HJ7Ztr3sS2rY3vWzR/UDAhoP9qWkwQswfW2YJ M8GQ== X-Gm-Message-State: ALoCoQnamOi0rZULzBuP6kPhJzKymc3qGrrlUuVWiRIz8Fy8gm48hmCiK9xwQ5ZDMJy3Kj5u1p7P X-Received: by 10.15.90.132 with SMTP id q4mr61728eez.98.1377292681635; Fri, 23 Aug 2013 14:18:01 -0700 (PDT) MIME-Version: 1.0 Sender: atm@cloudera.com Received: by 10.14.48.8 with HTTP; Fri, 23 Aug 2013 14:17:31 -0700 (PDT) From: "Aaron T. Myers" Date: Fri, 23 Aug 2013 14:17:31 -0700 X-Google-Sender-Auth: XvglRAUo2bgcrTrM6nCmlglB1fA Message-ID: Subject: CVE-2013-2192: Apache Hadoop Man in the Middle Vulnerability To: user@hadoop.apache.org, "common-dev@hadoop.apache.org" , general@hadoop.apache.org, "security@apache.org" , full-disclosure@lists.grok.org.uk, bugtraq Content-Type: multipart/alternative; boundary=089e0163359a0aa29104e4a3f158 X-Virus-Checked: Checked by ClamAV on apache.org --089e0163359a0aa29104e4a3f158 Content-Type: text/plain; charset=ISO-8859-1 Hello, Please see below for the official announcement of a serious security vulnerability which has been discovered and subsequently fixed in Apache Hadoop releases. Best, Aaron -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-2192: Apache Hadoop Man in the Middle Vulnerability Severity: Severe Vendor: The Apache Software Foundation Versions Affected: All versions of Hadoop 2.x prior to Hadoop 2.0.6-alpha. All versions of Hadoop 0.23.x prior to Hadoop 0.23.9. All versions of Hadoop 1.x prior to Hadoop 1.2.1. Users affected: Users who have enabled Hadoop's Kerberos security features. Impact: RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster. Description: The Apache Hadoop RPC protocol is intended to provide bidirectional authentication between clients and servers. However, a malicious server or network attacker can unilaterally disable these authentication checks. This allows for potential reduction in the configured quality of protection of the RPC traffic, and privilege escalation if authentication credentials are passed over RPC. Mitigation: Users of Hadoop 1.x versions should immediately upgrade to 1.2.1 or later. Users of Hadoop 0.23.x versions should immediately upgrade to 0.23.9 or later. Users of Hadoop 2.x versions prior to 2.0.6-alpha should immediately upgrade to 2.0.6-alpha or later. Credit: This issue was discovered by Kyle Leckie of Microsoft and Aaron T. Myers of Cloudera. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJSF84CAAoJECEaGfB4kTjfI7kH/0v4JJ992vGV4esnAKgNnTmn A7GCj2zT7KFgF7ii6G6+5Xny9AnISTZWfMII/Szs5qaFgiaByvsNR5FoN+o5BS8s vPWU8v5f3/cayacQgl8vxUiTlkXYZWQX+3V+8RTqAR3fPsr9IUMse4hOEcXvAjHr gDeWKiQaXRRhVjfmTLll1OWuKT8PmVar3qcbsg3vo/tj/yjOoVEfhV3DMOdIi+ES pWtTxs5/fB8t+wA4hdY1r6trE7X6fys9NYC11jp83ej+ecjnHy7kmKGl41WESD+G GOhAPYCMS9D29KGs2c6q0xCqi22R0klTs9d3Z/f7F5htGfBSAfAOpC6xPJ66/ZY= =4+in -----END PGP SIGNATURE----- --089e0163359a0aa29104e4a3f158--