[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2012-1574] Apache Hadoop user impersonation vulnerability

To: general@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
From: "Aaron T. Myers" <atm@xxxxxxxxxxxx>
Date: Thu, 5 Apr 2012 19:31:33 -0700

Hello,

Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note
the "Users affected", "Versions affected", and "Mitigation" sections.

Best,
Aaron

--
Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-1574: Apache Hadoop user impersonation vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.

Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
features.

Impact: Vulnerability allows an authenticated malicious user to impersonate
any other user on the cluster.

Mitigation:
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available

Credit:
This issue was discovered by Aaron T. Myers of Cloudera.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] mac trojan
Next by Date: Re: [Full-disclosure] [funsec] mac trojan
Previous by thread: [Full-disclosure] Sagan 0.2.1 [Security Event/Log Analyzer] Released.
Next by thread: [Full-disclosure] Shakacon CFP - Extended Deadline: April 13, 2012
Index(es):
- Date
- Thread