hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Foley <ma...@apache.org>
Subject Re: [ANNOUNCE] Hadoop 1.1.0 release
Date Thu, 18 Oct 2012 09:27:02 GMT
Documentation and Jira cleanup are all complete, for Hadoop-1.1.0 and 1.0.4.

On Sun, Oct 14, 2012 at 9:08 PM, Matt Foley <mattf@apache.org> wrote:

> Hello,
> The release of Hadoop-1.1.0 has been voted, accepted, and posted.
> It is available in SVN and Maven, as well as at
>     http://www.apache.org/dist/hadoop/common/hadoop-1.1.0/
> It is still propagating to mirrors, and should be available on all mirrors
> by this time Monday.
> The documentation update is being worked on now and will be available by
> Monday morning.
> This release includes approximately 135 enhancements and bug fixes
> compared to Hadoop-1.0.4,
> including:
>    - many performance improvements in HDFS, backported from trunk
>    - improvements in Security to use SPNEGO instead of Kerberized SSL for
>    HTTP transactions
>    - lower default minimum heartbeat for task trackers from 3 sec to
>    300msec to increase job throughput on small clusters
>    - port Gridmix v3
>    - set MALLOC_ARENA_MAX in hadoop-config.sh to resolve problems with
>    glibc in RHEL-6
>    - splittable bzip2 files
> Like the recent Hadoop-1.0.4 maintenance release, this release also
> includes the Security bug fix for
>  CVE-2012-4449, discovered by Daryn Sharp and fixed by Owen O'Malley.  The
> CVE announcement is
> below.  All users are encouraged to upgrade to either 1.0.4 or 1.1.0 as
> soon as possible to address this
> security problem.
> Best regards,
> --Matt Foley
> Release Manager
> *CVE-2012-4449: Apache Hadoop security token vulnerabilities
> *
> Severity: Critical
> Vendor: The Apache Software Foundation
> Versions Affected:
> 0.20.X: All versions
> 0.23: All versions before 0.23.4
> 1.0: All versions before 1.0.4
> 2.0: All versions before 2.0.2
> Users affected:
> Users who have enabled Hadoop's Kerberos security features.
> Impact:
> Malicious users may crack the secret keys used to sign security
> tokens, thus granting them the ability to fabricate tokens for
> privilege escalation.  Malicious users may also launch unauthorized
> tasks as an arbitrary user for privilege escalation.
> Description:
> When Hadoop's security features are enabled, clients initially present
> Kerberos credentials to authenticate to a service such as the
> NameNode.  A client may then request a security token for subsequent
> authentication within the Hadoop cluster.  The client receives a
> security token and a corresponding signature for the token, generated
> using the HMAC algorithm and a SHA1 hash.
> Token passwords are generated using a trivial secret key length (20
> bits).  A key of this size can be brute forced in at most a few
> seconds.  Once the secret is cracked, one can generate arbitrary
> tokens to impersonate other users.  These fraudulent tokens may be
> used to gain unauthorized access to data or disrupt services within
> the cluster.  With default secret key rolling values, a cracked secret
> may often be exploited for a couple days before another secret has to
> be cracked.
> Some token-based services, such as the NameNode's delegation tokens
> for the namespace, are immune from a compromised secret key because
> they record the generated tokens.  A fraudulent token with a valid
> password will rejected since the service will know it did not generate
> the token.  Services that generate a token on behalf of another
> service and rely on a shared secret for the other service to validate
> the token's password are especially vulnerable.
> HDFS (all versions):
> Malicious clients cannot gain unauthorized access to the namespace.
> Malicious clients may however gain full access (read, write, and
> delete) to any block based on knowledge of the block id.
> MapReduce (1.x):
> Malicious clients may intercept task data, task logs, alter task
> status, and disrupt tasks from executing or completing.  A malicious
> client may also inject data into a Pipes-based job.
> Yarn (2.x only):
> Malicious clients may perform the same attacks as MapReduce.  An
> unauthorized yarn task may be launched unbeknownst to the
> ResourceManager.  Additionally, the security tokens for launching
> tasks do not contain the job submitter.  The user for task execution
> is specified in an untrusted container launch context, thus allowing a
> task to be launched as an arbitrary user.  When combined, an
> unauthorized task may be launched as an arbitrary user.
> Other Hadoop projects:
> Hadoop projects using the token management framework may be
> susceptible if their services do not store the tokens issued, or if a
> service generates tokens for other services.  This includes Apache
> HBase version 0.92.0 or higher when the Kerberos-based security
> features are enabled.
> Mitigation:
> Users should immediately upgrade to the latest applicable release
> (0.23.4, 1.0.4 or later, or 2.0.2), or should immediately apply the
> patch provided below to their systems.
> Credit: This issue was discovered by Daryn Sharp of Yahoo! Inc.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message