| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+4052=hJd3M4Cs9c4=BktE8V3E8tzU88+TO9g7H5adpor+_zg@mail.gmail.com>
Date: Thu, 5 Apr 2012 19:31:33 -0700
From: "Aaron T. Myers" <atm@...udera.com>
To: general@...oop.apache.org, security@...che.org,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [CVE-2012-1574] Apache Hadoop user impersonation
vulnerability
Hello,
Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note
the "Users affected", "Versions affected", and "Mitigation" sections.
Best,
Aaron
--
Aaron T. Myers
Software Engineer, Cloudera
CVE-2012-1574: Apache Hadoop user impersonation vulnerability
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.
Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
features.
Impact: Vulnerability allows an authenticated malicious user to impersonate
any other user on the cluster.
Mitigation:
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available
Credit:
This issue was discovered by Aaron T. Myers of Cloudera.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists