hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 17:12:38 GMT
Failed to CC dev@, my apologies.

 

----- Forwarded Message -----

> From: Andrew Purtell <apurtell@apache.org>
> To: "user@hbase.apache.org" <user@hbase.apache.org>
> Cc: 
> Sent: Friday, April 6, 2012 10:11 AM
> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
> 
> Details of the below vulnerability have not been released.
> 
> Given that HBase security has as its foundation Apache Hadoop authentication, at 
> this time we must assume any secure HBase deployment is equally vulnerable.
> 
> I will update you when more information is available.
> 
> 
> Best regards,
> 
> 
>     - Andy
> 
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via 
> Tom White)
> 
> 
> 
> ----- Forwarded Message -----
>>  From: Aaron T. Myers <atm@cloudera.com>
>>  To: general@hadoop.apache.org; security@apache.org; 
> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>  Cc: 
>>  Sent: Thursday, April 5, 2012 7:31 PM
>>  Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>> 
>>  Hello,
>> 
>>  Users of Apache Hadoop should be aware of a security vulnerability recently
>>  discovered, as described by the following CVE. In particular, please note
>>  the "Users affected", "Versions affected", and 
>>  "Mitigation" sections.
>> 
>>  Best,
>>  Aaron
>> 
>>  --
>>  Aaron T. Myers
>>  Software Engineer, Cloudera
>> 
>>  CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>> 
>>  Severity: Critical
>> 
>>  Vendor: The Apache Software Foundation
>> 
>>  Versions Affected:
>>  Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>  Hadoop 1.0.0 to 1.0.1
>>  Hadoop 0.23.0 to 0.23.1.
>> 
>>  Users affected: Users who have enabled Hadoop's Kerberos/MapReduce 
> security
>>  features.
>> 
>>  Impact: Vulnerability allows an authenticated malicious user to impersonate
>>  any other user on the cluster.
>> 
>>  Mitigation:
>>  0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>  0.23.x users should upgrade to 0.23.2 when it becomes available
>> 
>>  Credit:
>>  This issue was discovered by Aaron T. Myers of Cloudera.
>> 
> 

Mime
View raw message