Return-Path: X-Original-To: apmail-hbase-dev-archive@www.apache.org Delivered-To: apmail-hbase-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6EB939FA3 for ; Fri, 6 Apr 2012 17:13:06 +0000 (UTC) Received: (qmail 37758 invoked by uid 500); 6 Apr 2012 17:13:05 -0000 Delivered-To: apmail-hbase-dev-archive@hbase.apache.org Received: (qmail 37720 invoked by uid 500); 6 Apr 2012 17:13:05 -0000 Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list dev@hbase.apache.org Received: (qmail 37712 invoked by uid 99); 6 Apr 2012 17:13:05 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Apr 2012 17:13:05 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [98.139.91.86] (HELO nm16.bullet.mail.sp2.yahoo.com) (98.139.91.86) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 06 Apr 2012 17:12:59 +0000 Received: from [98.139.91.66] by nm16.bullet.mail.sp2.yahoo.com with NNFMP; 06 Apr 2012 17:12:38 -0000 Received: from [72.30.22.202] by tm6.bullet.mail.sp2.yahoo.com with NNFMP; 06 Apr 2012 17:12:38 -0000 Received: from [127.0.0.1] by omp1064.mail.sp2.yahoo.com with NNFMP; 06 Apr 2012 17:12:38 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 742439.71590.bm@omp1064.mail.sp2.yahoo.com Received: (qmail 61087 invoked by uid 60001); 6 Apr 2012 17:12:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1333732358; bh=XK15ufEjg87iq41navLGiAEZ6p6S3MRnizjFlFcc/jk=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Ut4bnEl2KfXa+sm9KdYO1CFlGqwV09kjiuI3+QyYVs3nkvNNxHmvH183Q9JNAfAmJIQZLphXGD/WQr8i2oB/AEodyBT3JlOLvaIugrg1BFu6svkgfEgb2Lkh22fmaOb3C9DDtz8qDKEumnXhb4rnDBfg6uaHq3pWHWIHgd9IlyE= X-YMail-OSG: iwsBNkQVM1lPLKxcQ2Z_5X9zqMYz8JDBZYYCPpmP6i0Bcjf hgDODlrkD_osGe.NBzZZhzy7lZ2sHjCYaCargF86ZGhhHaY9UBtJ_9nTwF70 jqyznsb6V2Q7SSHoFOT5_r2cm0Dj0XFqnNXzsHWLHIBzT7_JzHgbHhHlY4e5 6IC2ak2tCtcPov3umsY7wAgbJZIwSUjPiVNs5BghF.7Skljr8nodvLbSe3GJ Nmej73WqC_siLIGkpF6k69WXZCPJtKhs06jG6fVFcs7ap1QuocZsT3_.5Ji_ .fzf5QVDus_UxMAhQv29S4RCTXrvL3Bw32PLuAtN4AqGS6ko3boBWDpR3weF XV.zGkgW17ySaFt6I3B4OmFfGcMo0NmiObKVznHxlYpLI4Fs0tFjnKYHiiLJ IexmAmYy4ClTAlRfKKEuPNa5wM1RKoXYhPovnAI_sDBdLG_CDdXoIj4_IBG0 DeM0- Received: from [69.231.24.241] by web164501.mail.gq1.yahoo.com via HTTP; Fri, 06 Apr 2012 10:12:38 PDT X-RocketYMMF: apurtell X-Mailer: YahooMailWebService/0.8.117.340979 References: <1333732314.10392.YahooMailNeo@web164502.mail.gq1.yahoo.com> Message-ID: <1333732358.60670.YahooMailNeo@web164501.mail.gq1.yahoo.com> Date: Fri, 6 Apr 2012 10:12:38 -0700 (PDT) From: Andrew Purtell Reply-To: Andrew Purtell Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability To: "dev@hbase.apache.org" In-Reply-To: <1333732314.10392.YahooMailNeo@web164502.mail.gq1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Failed to CC dev@, my apologies.=0A=0A=A0=0A=0A----- Forwarded Message ----= -=0A=0A> From: Andrew Purtell =0A> To: "user@hbase.apa= che.org" =0A> Cc: =0A> Sent: Friday, April 6, 2012 1= 0:11 AM=0A> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation v= ulnerability=0A> =0A> Details of the below vulnerability have not been rele= ased.=0A> =0A> Given that HBase security has as its foundation Apache Hadoo= p authentication, at =0A> this time we must assume any secure HBase deploym= ent is equally vulnerable.=0A> =0A> I will update you when more information= is available.=0A> =0A> =0A> Best regards,=0A> =0A> =0A> =A0 =A0 - Andy=0A>= =0A> Problems worthy of attack prove their worth by hitting back. - Piet H= ein (via =0A> Tom White)=0A> =0A> =0A> =0A> ----- Forwarded Message -----= =0A>> From: Aaron T. Myers =0A>> To: general@hadoop.apa= che.org; security@apache.org; =0A> full-disclosure@lists.grok.org.uk; bugtr= aq@securityfocus.com=0A>> Cc: =0A>> Sent: Thursday, April 5, 2012 7:31 PM= =0A>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerabil= ity=0A>> =0A>> Hello,=0A>> =0A>> Users of Apache Hadoop should be aware o= f a security vulnerability recently=0A>> discovered, as described by the f= ollowing CVE. In particular, please note=0A>> the "Users affected", "Versi= ons affected", and =0A>> "Mitigation" sections.=0A>> =0A>> Best,=0A>> Aa= ron=0A>> =0A>> --=0A>> Aaron T. Myers=0A>> Software Engineer, Cloudera= =0A>> =0A>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability= =0A>> =0A>> Severity: Critical=0A>> =0A>> Vendor: The Apache Software Fou= ndation=0A>> =0A>> Versions Affected:=0A>> Hadoop 0.20.203.0, 0.20.204.0,= and 0.20.205.0=0A>> Hadoop 1.0.0 to 1.0.1=0A>> Hadoop 0.23.0 to 0.23.1.= =0A>> =0A>> Users affected: Users who have enabled Hadoop's Kerberos/MapRe= duce =0A> security=0A>> features.=0A>> =0A>> Impact: Vulnerability allows= an authenticated malicious user to impersonate=0A>> any other user on the= cluster.=0A>> =0A>> Mitigation:=0A>> 0.20.20x.x and 1.0.x users should u= pgrade to 1.0.2=0A>> 0.23.x users should upgrade to 0.23.2 when it becomes= available=0A>> =0A>> Credit:=0A>> This issue was discovered by Aaron T. = Myers of Cloudera.=0A>> =0A>