hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joey Echeverria <j...@cloudera.com>
Subject Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 17:19:31 GMT
I'm not sure why the CVE isn't published yet, but the details are
available here:

https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin

-Joey

On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <apurtell@apache.org> wrote:
> Failed to CC dev@, my apologies.
>
>
>
> ----- Forwarded Message -----
>
>> From: Andrew Purtell <apurtell@apache.org>
>> To: "user@hbase.apache.org" <user@hbase.apache.org>
>> Cc:
>> Sent: Friday, April 6, 2012 10:11 AM
>> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Details of the below vulnerability have not been released.
>>
>> Given that HBase security has as its foundation Apache Hadoop authentication, at
>> this time we must assume any secure HBase deployment is equally vulnerable.
>>
>> I will update you when more information is available.
>>
>>
>> Best regards,
>>
>>
>>     - Andy
>>
>> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
>> Tom White)
>>
>>
>>
>> ----- Forwarded Message -----
>>>  From: Aaron T. Myers <atm@cloudera.com>
>>>  To: general@hadoop.apache.org; security@apache.org;
>> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>>  Cc:
>>>  Sent: Thursday, April 5, 2012 7:31 PM
>>>  Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>>
>>>  Hello,
>>>
>>>  Users of Apache Hadoop should be aware of a security vulnerability recently
>>>  discovered, as described by the following CVE. In particular, please note
>>>  the "Users affected", "Versions affected", and
>>>  "Mitigation" sections.
>>>
>>>  Best,
>>>  Aaron
>>>
>>>  --
>>>  Aaron T. Myers
>>>  Software Engineer, Cloudera
>>>
>>>  CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>
>>>  Severity: Critical
>>>
>>>  Vendor: The Apache Software Foundation
>>>
>>>  Versions Affected:
>>>  Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>>  Hadoop 1.0.0 to 1.0.1
>>>  Hadoop 0.23.0 to 0.23.1.
>>>
>>>  Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
>> security
>>>  features.
>>>
>>>  Impact: Vulnerability allows an authenticated malicious user to impersonate
>>>  any other user on the cluster.
>>>
>>>  Mitigation:
>>>  0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>>  0.23.x users should upgrade to 0.23.2 when it becomes available
>>>
>>>  Credit:
>>>  This issue was discovered by Aaron T. Myers of Cloudera.
>>>
>>



-- 
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.

Mime
View raw message