lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+4052nCTd++x=0=q4mf2KE4ZES4OwVGdJ5QLNVQcUFiFkXJpw@mail.gmail.com>
Date: Thu, 5 Apr 2012 19:35:35 -0700
From: "Aaron T. Myers" <atm@...udera.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability

Hello,

Users of Apache Hadoop should be aware of a security vulnerability
recently discovered, as described by the following CVE. In particular,
please note the "Users affected", "Versions affected", and
"Mitigation" sections.

Best,
Aaron

--
Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-1574: Apache Hadoop user impersonation vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.

Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
security features.

Impact: Vulnerability allows an authenticated malicious user to
impersonate any other user on the cluster.

Mitigation:
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available

Credit:
This issue was discovered by Aaron T. Myers of Cloudera.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ