hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 17:30:29 GMT
Thanks. 


The problem with that disclosure as written is it provided no information as the the nature
of the vulnerability. And, as you mention, the CVE is 404.

> "Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security  features."

Well, we have enabled Hadoop's Kerberos security features. The additional qualification of
"MapReduce" is there but there is insufficient context. So a broad reading is required. 

> "Impact: Vulnerability allows an authenticated malicious user to impersonate  any other
user on the cluster."

The implication given the lack of information is that Hadoop's Kerberos based authentication
is worthless.

Thankfully that is not the case, and HBase is not affected.
 
Best regards,


    - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)



----- Original Message -----
> From: Joey Echeverria <joey@cloudera.com>
> To: dev@hbase.apache.org; Andrew Purtell <apurtell@apache.org>
> Cc: 
> Sent: Friday, April 6, 2012 10:19 AM
> Subject: Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
> 
> I'm not sure why the CVE isn't published yet, but the details are
> available here:
> 
> https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin
> 
> -Joey
> 
> On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <apurtell@apache.org> 
> wrote:
>>  Failed to CC dev@, my apologies.
>> 
>> 
>> 
>>  ----- Forwarded Message -----
>> 
>>>  From: Andrew Purtell <apurtell@apache.org>
>>>  To: "user@hbase.apache.org" <user@hbase.apache.org>
>>>  Cc:
>>>  Sent: Friday, April 6, 2012 10:11 AM
>>>  Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation 
> vulnerability
>>> 
>>>  Details of the below vulnerability have not been released.
>>> 
>>>  Given that HBase security has as its foundation Apache Hadoop 
> authentication, at
>>>  this time we must assume any secure HBase deployment is equally 
> vulnerable.
>>> 
>>>  I will update you when more information is available.
>>> 
>>> 
>>>  Best regards,
>>> 
>>> 
>>>      - Andy
>>> 
>>>  Problems worthy of attack prove their worth by hitting back. - Piet 
> Hein (via
>>>  Tom White)
>>> 
>>> 
>>> 
>>>  ----- Forwarded Message -----
>>>>   From: Aaron T. Myers <atm@cloudera.com>
>>>>   To: general@hadoop.apache.org; security@apache.org;
>>>  full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>>>   Cc:
>>>>   Sent: Thursday, April 5, 2012 7:31 PM
>>>>   Subject: [CVE-2012-1574] Apache Hadoop user impersonation 
> vulnerability
>>>> 
>>>>   Hello,
>>>> 
>>>>   Users of Apache Hadoop should be aware of a security vulnerability 
> recently
>>>>   discovered, as described by the following CVE. In particular, 
> please note
>>>>   the "Users affected", "Versions affected", and
>>>>   "Mitigation" sections.
>>>> 
>>>>   Best,
>>>>   Aaron
>>>> 
>>>>   --
>>>>   Aaron T. Myers
>>>>   Software Engineer, Cloudera
>>>> 
>>>>   CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>> 
>>>>   Severity: Critical
>>>> 
>>>>   Vendor: The Apache Software Foundation
>>>> 
>>>>   Versions Affected:
>>>>   Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>>>   Hadoop 1.0.0 to 1.0.1
>>>>   Hadoop 0.23.0 to 0.23.1.
>>>> 
>>>>   Users affected: Users who have enabled Hadoop's 
> Kerberos/MapReduce
>>>  security
>>>>   features.
>>>> 
>>>>   Impact: Vulnerability allows an authenticated malicious user to 
> impersonate
>>>>   any other user on the cluster.
>>>> 
>>>>   Mitigation:
>>>>   0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>>>   0.23.x users should upgrade to 0.23.2 when it becomes available
>>>> 
>>>>   Credit:
>>>>   This issue was discovered by Aaron T. Myers of Cloudera.
>>>> 
>>> 
> 
> 
> 
> -- 
> Joey Echeverria
> Senior Solutions Architect
> Cloudera, Inc.
> 

Mime
View raw message