hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 17:02:36 GMT
This is not a helpful disclosure.

Now we know our "secure" deployment is vulnerable, but have no idea how to mitigate. Claiming
an upgrade to a nonexistent version with an, apparently, uncommitted fix as a mitigation is
not viable. Where is the JIRA for this? 

Best regards,


    - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)



----- Original Message -----
> From: Aaron T. Myers <atm@cloudera.com>
> To: general@hadoop.apache.org; security@apache.org; full-disclosure@lists.grok.org.uk;
bugtraq@securityfocus.com
> Cc: 
> Sent: Thursday, April 5, 2012 7:31 PM
> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
> 
> Hello,
> 
> Users of Apache Hadoop should be aware of a security vulnerability recently
> discovered, as described by the following CVE. In particular, please note
> the "Users affected", "Versions affected", and 
> "Mitigation" sections.
> 
> Best,
> Aaron
> 
> --
> Aaron T. Myers
> Software Engineer, Cloudera
> 
> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
> 
> Severity: Critical
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
> Hadoop 1.0.0 to 1.0.1
> Hadoop 0.23.0 to 0.23.1.
> 
> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
> features.
> 
> Impact: Vulnerability allows an authenticated malicious user to impersonate
> any other user on the cluster.
> 
> Mitigation:
> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
> 0.23.x users should upgrade to 0.23.2 when it becomes available
> 
> Credit:
> This issue was discovered by Aaron T. Myers of Cloudera.
> 

Mime
View raw message