Return-Path: X-Original-To: apmail-hbase-dev-archive@www.apache.org Delivered-To: apmail-hbase-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D163997EB for ; Fri, 6 Apr 2012 17:31:52 +0000 (UTC) Received: (qmail 98179 invoked by uid 500); 6 Apr 2012 17:31:52 -0000 Delivered-To: apmail-hbase-dev-archive@hbase.apache.org Received: (qmail 98131 invoked by uid 500); 6 Apr 2012 17:31:52 -0000 Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list dev@hbase.apache.org Received: (qmail 98121 invoked by uid 99); 6 Apr 2012 17:31:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Apr 2012 17:31:52 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [98.139.91.87] (HELO nm17.bullet.mail.sp2.yahoo.com) (98.139.91.87) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 06 Apr 2012 17:31:46 +0000 Received: from [98.139.91.63] by nm17.bullet.mail.sp2.yahoo.com with NNFMP; 06 Apr 2012 17:31:25 -0000 Received: from [98.139.91.30] by tm3.bullet.mail.sp2.yahoo.com with NNFMP; 06 Apr 2012 17:30:29 -0000 Received: from [127.0.0.1] by omp1030.mail.sp2.yahoo.com with NNFMP; 06 Apr 2012 17:30:29 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 759953.61610.bm@omp1030.mail.sp2.yahoo.com Received: (qmail 24892 invoked by uid 60001); 6 Apr 2012 17:30:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1333733429; bh=ApctVoFJe9bZKFCtXph+HpS/H+7XAFLG1KQOtZNjGbw=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=PUW8HeJxRnFqCtzGaVD3J39AKwTHvF1KfJFoXlsRF8V9jjoy3oWQZmVyjcOzwLDFTZTyvUnRYnE6pAfDshySBkL6KvEzKwWtIPEz1+l/VYbju1bdn0swbmV7o231JHzDDC+0TceR9qBQ1XcnnO/keHkkr/SA3iztVsmRzkr7moo= X-YMail-OSG: iX1xOsoVM1md8M3uQqFpjcxjmrsRUcJSrU.vgtV7J2t16Um xaFRPX_BbUuxps7RZ2Gzu8df8qeNmWHSX.9YgGQRJWuneJbcj4bXng2Y21Hi hWhD6qc3eZfJS8FJtAO8PFq.Aw9FHxERSCMyKBWkiO5YND4LJFDNVrfvMSyX _IaD2VmrV_6E2YMKG0zM6DWM7zvUw30Ti5TQy2eejs.NC35uVqXdE0uw8rBC 7VAIPzVitSxrzKk_nOn43ThNj3JD_EN9kfH5mpfspjcz2C9xRUonLUipmyQ2 zOOg2pWt7Wr69ZnbmPQPF5eB5LKNZ9wJSyX_.7CLbz1QM94bHMeJx7do4rS1 NzWLogUFwCCRV2_ZEYwIy9IBusPoM2ckJDZBoHngTqw5l016bGPBPOsFDNxZ R4frSX9KsI10qQGVhxnLd3eUuTP_bOzKOgy6hUH4EIi77C9jCnaM2eTswxku Gzu4- Received: from [69.231.24.241] by web164502.mail.gq1.yahoo.com via HTTP; Fri, 06 Apr 2012 10:30:29 PDT X-RocketYMMF: apurtell X-Mailer: YahooMailWebService/0.8.117.340979 References: <1333732314.10392.YahooMailNeo@web164502.mail.gq1.yahoo.com> <1333732358.60670.YahooMailNeo@web164501.mail.gq1.yahoo.com> Message-ID: <1333733429.24030.YahooMailNeo@web164502.mail.gq1.yahoo.com> Date: Fri, 6 Apr 2012 10:30:29 -0700 (PDT) From: Andrew Purtell Reply-To: Andrew Purtell Subject: Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability To: "dev@hbase.apache.org" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Thanks. =0A=0A=0AThe problem with that disclosure as written is it provided= no information as the the nature of the vulnerability. And, as you mention= , the CVE is 404.=0A=0A> "Users affected: Users who have enabled Hadoop's K= erberos/MapReduce security=A0 features."=0A=0AWell, we have enabled Hadoop'= s Kerberos security features. The additional qualification of "MapReduce" i= s there but there is insufficient context. So a broad reading is required. = =0A=0A> "Impact: Vulnerability allows an authenticated malicious user to im= personate=A0 any other user on the cluster."=0A=0AThe implication given the= lack of information is that Hadoop's Kerberos based authentication is wort= hless.=0A=0AThankfully that is not the case, and HBase is not affected.=0A= =A0=0ABest regards,=0A=0A=0A=A0 =A0 - Andy=0A=0AProblems worthy of attack p= rove their worth by hitting back. - Piet Hein (via Tom White)=0A=0A=0A=0A--= --- Original Message -----=0A> From: Joey Echeverria =0A= > To: dev@hbase.apache.org; Andrew Purtell =0A> Cc: = =0A> Sent: Friday, April 6, 2012 10:19 AM=0A> Subject: Re: Fw: [CVE-2012-15= 74] Apache Hadoop user impersonation vulnerability=0A> =0A> I'm not sure wh= y the CVE isn't published yet, but the details are=0A> available here:=0A> = =0A> https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin=0A> = =0A> -Joey=0A> =0A> On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell =0A> wrote:=0A>> Failed to CC dev@, my apologies.=0A>> =0A>= > =0A>> =0A>> ----- Forwarded Message -----=0A>> =0A>>> From: Andrew Purt= ell =0A>>> To: "user@hbase.apache.org" =0A>>> Cc:=0A>>> Sent: Friday, April 6, 2012 10:11 AM=0A>>> Sub= ject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation =0A> vulnerabili= ty=0A>>> =0A>>> Details of the below vulnerability have not been released.= =0A>>> =0A>>> Given that HBase security has as its foundation Apache Hadoo= p =0A> authentication, at=0A>>> this time we must assume any secure HBase = deployment is equally =0A> vulnerable.=0A>>> =0A>>> I will update you when= more information is available.=0A>>> =0A>>> =0A>>> Best regards,=0A>>> = =0A>>> =0A>>> =A0 =A0 - Andy=0A>>> =0A>>> Problems worthy of attack prove= their worth by hitting back. - Piet =0A> Hein (via=0A>>> Tom White)=0A>>>= =0A>>> =0A>>> =0A>>> ----- Forwarded Message -----=0A>>>> =A0From: Aaron= T. Myers =0A>>>> =A0To: general@hadoop.apache.org; secu= rity@apache.org;=0A>>> full-disclosure@lists.grok.org.uk; bugtraq@security= focus.com=0A>>>> =A0Cc:=0A>>>> =A0Sent: Thursday, April 5, 2012 7:31 PM= =0A>>>> =A0Subject: [CVE-2012-1574] Apache Hadoop user impersonation =0A> = vulnerability=0A>>>> =0A>>>> =A0Hello,=0A>>>> =0A>>>> =A0Users of Apache = Hadoop should be aware of a security vulnerability =0A> recently=0A>>>> = =A0discovered, as described by the following CVE. In particular, =0A> pleas= e note=0A>>>> =A0the "Users affected", "Versions affected", and=0A>>>> = =A0"Mitigation" sections.=0A>>>> =0A>>>> =A0Best,=0A>>>> =A0Aaron=0A>>>> = =0A>>>> =A0--=0A>>>> =A0Aaron T. Myers=0A>>>> =A0Software Engineer, Clou= dera=0A>>>> =0A>>>> =A0CVE-2012-1574: Apache Hadoop user impersonation vul= nerability=0A>>>> =0A>>>> =A0Severity: Critical=0A>>>> =0A>>>> =A0Vendor:= The Apache Software Foundation=0A>>>> =0A>>>> =A0Versions Affected:=0A>>>= > =A0Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0=0A>>>> =A0Hadoop 1.0.0= to 1.0.1=0A>>>> =A0Hadoop 0.23.0 to 0.23.1.=0A>>>> =0A>>>> =A0Users affe= cted: Users who have enabled Hadoop's =0A> Kerberos/MapReduce=0A>>> securi= ty=0A>>>> =A0features.=0A>>>> =0A>>>> =A0Impact: Vulnerability allows an = authenticated malicious user to =0A> impersonate=0A>>>> =A0any other user = on the cluster.=0A>>>> =0A>>>> =A0Mitigation:=0A>>>> =A00.20.20x.x and 1.= 0.x users should upgrade to 1.0.2=0A>>>> =A00.23.x users should upgrade to= 0.23.2 when it becomes available=0A>>>> =0A>>>> =A0Credit:=0A>>>> =A0Thi= s issue was discovered by Aaron T. Myers of Cloudera.=0A>>>> =0A>>> =0A> = =0A> =0A> =0A> -- =0A> Joey Echeverria=0A> Senior Solutions Architect=0A> C= loudera, Inc.=0A>