Mailing-List: contact general-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@hadoop.apache.org
Received-SPF: neutral (athena.apache.org: local policy)
References: 
 <CA+4052=hJd3M4Cs9c4=BktE8V3E8tzU88+TO9g7H5adpor+_zg@mail.gmail.com>
 <1333731756.94265.YahooMailNeo@web164502.mail.gq1.yahoo.com>
Message-ID: <1333732751.60003.YahooMailNeo@web164501.mail.gq1.yahoo.com>
Date: Fri, 6 Apr 2012 10:19:11 -0700 (PDT)
From: Andrew Purtell <apurtell@apache.org>
Reply-To: Andrew Purtell <apurtell@apache.org>
Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
To: "general@hadoop.apache.org" <general@hadoop.apache.org>,
  "security@apache.org" <security@apache.org>
In-Reply-To: <1333731756.94265.YahooMailNeo@web164502.mail.gq1.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

I received off list communication that the fix is here: https://github.com/=
apache/hadoop-common/commit/fda454 =0A=0A=0AThank you, this is the missing =
disclosure we were looking for. =0A=0A=0AI did not go so far back in time a=
s >~ 21 days because the announcement was made today, so missed it. =0A=0A=
=0ASo there is additional mitigation possible, for example, a user can patc=
h task-controller quite readily and roll out an emergency upgrade.=0A=0A=0A=
Best regards,=0A=0A=0A=A0 =A0 - Andy=0A=0AProblems worthy of attack prove t=
heir worth by hitting back. - Piet Hein (via Tom White)=0A=0A=0A=0A----- Or=
iginal Message -----=0A> From: Andrew Purtell <apurtell@apache.org>=0A> To:=
 "general@hadoop.apache.org" <general@hadoop.apache.org>; "security@apache.=
org" <security@apache.org>=0A> Cc: =0A> Sent: Friday, April 6, 2012 10:02 A=
M=0A> Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnera=
bility=0A> =0A>T his is not a helpful disclosure.=0A> =0A> Now we know our =
"secure" deployment is vulnerable, but have no idea =0A> how to mitigate. C=
laiming an upgrade to a nonexistent version with an, =0A> apparently, uncom=
mitted fix as a mitigation is not viable. Where is the JIRA for =0A> this? =
=0A> =0A> Best regards,=0A> =0A> =0A> =A0 =A0 - Andy=0A> =0A> Problems wort=
hy of attack prove their worth by hitting back. - Piet Hein (via =0A> Tom W=
hite)=0A> =0A> =0A> =0A> ----- Original Message -----=0A>>  From: Aaron T. =
Myers <atm@cloudera.com>=0A>>  To: general@hadoop.apache.org; security@apac=
he.org; =0A> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com=
=0A>>  Cc: =0A>>  Sent: Thursday, April 5, 2012 7:31 PM=0A>>  Subject: [CVE=
-2012-1574] Apache Hadoop user impersonation vulnerability=0A>> =0A>>  Hell=
o,=0A>> =0A>>  Users of Apache Hadoop should be aware of a security vulnera=
bility recently=0A>>  discovered, as described by the following CVE. In par=
ticular, please note=0A>>  the "Users affected", "Versions affected", and =
=0A>>  "Mitigation" sections.=0A>> =0A>>  Best,=0A>>  Aaron=0A>> =0A>>  --=
=0A>>  Aaron T. Myers=0A>>  Software Engineer, Cloudera=0A>> =0A>>  CVE-201=
2-1574: Apache Hadoop user impersonation vulnerability=0A>> =0A>>  Severity=
: Critical=0A>> =0A>>  Vendor: The Apache Software Foundation=0A>> =0A>>  V=
ersions Affected:=0A>>  Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0=0A>> =
 Hadoop 1.0.0 to 1.0.1=0A>>  Hadoop 0.23.0 to 0.23.1.=0A>> =0A>>  Users aff=
ected: Users who have enabled Hadoop's Kerberos/MapReduce =0A> security=0A>=
>  features.=0A>> =0A>>  Impact: Vulnerability allows an authenticated mali=
cious user to impersonate=0A>>  any other user on the cluster.=0A>> =0A>>  =
Mitigation:=0A>>  0.20.20x.x and 1.0.x users should upgrade to 1.0.2=0A>>  =
0.23.x users should upgrade to 0.23.2 when it becomes available=0A>> =0A>> =
 Credit:=0A>>  This issue was discovered by Aaron T. Myers of Cloudera.=0A>=
> =0A>