lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <ce6e987d-35f9-48ef-8227-91a02d9ffc44@journal.report.generator>
Date: Mon, 9 Jul 2012 12:38:35 -0400
From: "Aaron T. Myers" <atm@...udera.com>
To: <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>
Subject: [CVE-2012-3376] Apache Hadoop HDFS information
 disclosure vulnerability

Sender: atm@...udera.com
Subject: [CVE-2012-3376] Apache Hadoop HDFS information disclosure vulnerability
Message-Id: <CA+4052kPieH5zTmuWEWW93wwjvf7NzM4VnsFMy6yqWcE6ei95A@...l.gmail.com>
Recipient: jason.lopes@....com

Received: from mail1.rga.com (10.200.1.11) by mail12.rga.com (10.200.45.48)
	with Microsoft SMTP Server (TLS) id 8.3.213.0;
	Mon, 9 Jul 2012 11:59:03 -0400
Received: by mail1.rga.com (Postfix, from userid 505)	id 9A291147629; Mon,  9
	Jul 2012 11:59:19 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on exodus.ny.rga.com
X-Spam-Level: 
X-Spam-Status: No, score=-115.6 required=5.0 tests=AWL,BAYES_00,
	RCVD_IN_DNSWL_HI, SPF_PASS, USER_IN_DEF_SPF_WL,
	USER_IN_WHITELIST autolearn=ham version=3.2.5
Received: from sf01smtp2.securityfocus.com (smtp.securityfocus.com
	[143.127.139.113])	by mail1.rga.com (Postfix) with ESMTP id
	B7C36147626	for
	<jason@....com>; Mon,  9 Jul 2012 11:59:17 -0400 (EDT)
Received: from lists.securityfocus.com (lists.securityfocus.com
	[192.168.120.36])	by sf01smtp2.securityfocus.com (Postfix) with QMQP	id
	A7F3E801A4; Mon,  9 Jul 2012 08:38:32 -0700 (PDT)
Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@...urityfocus.com>
List-Help: <mailto:bugtraq-help@...urityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
Delivered-To: mailing list bugtraq@...urityfocus.com
Delivered-To: moderator for bugtraq@...urityfocus.com
Received: (qmail 7161 invoked from network); 6 Jul 2012 18:54:05 -0000
X-AuditID: c0a8781f-b7c12ae000000877-bd-4ff736558c11
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:from:date:message-id:subject:to:content-type
	:x-gm-message-state;
	bh=tsEu+pGyS5+2NdtffCsUHtnwyfEOSm4rx5PF8VBRzII=;
	b=mYi6Tbp4a5gtDPLKdKn8swog5PloFjznkwF+JpTHlwey+GFV7MfND/IIhcU76VXxuq
	j+qAZYhpFCXVLgOQDdGn7Jj+MODA7ePPbx0uWO3ge07Y3CwOvHBn58OP9jF7F2R95rtd
	n80rclqmXD7G1J0gfbKEp1HVmCVvw+LNLQI2CosDfw+xlTIcaz+WZ0nrmiBICVpVi4ew
	XpjFQTFciA7ZWVKf6+59CpllIWJO3jLJtN016VGv0/9IVChhU+82sJ0Xtl2ChUBB0SVZ
	h+54js3vg1j+v9GC0fgJNzrqzBhzrkRiXcr14cidppenl111XJINejXkltHGcoxPnnuI
	Fctw==
MIME-Version: 1.0
From: "Aaron T. Myers" <atm@...udera.com>
Date: Fri, 6 Jul 2012 12:02:13 -0700
Message-ID: <CA+4052kPieH5zTmuWEWW93wwjvf7NzM4VnsFMy6yqWcE6ei95A@...l.gmail.com>
Subject: [CVE-2012-3376] Apache Hadoop HDFS information disclosure
	vulnerability
To: <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlcwHKCaMYd5joGp+oFFNJZzkOUzc5g9gVax1wbS0bVDA9SXzQFQoj3PbShTmMa2jR5ZCsf
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOIsWRWlGSWpSXmKPExsVyMfTOat0ws+/+Bk+X8Fs0X0h3YPS4f+YW
	ewBjFJdNSmpOZllqkb5dAlfG9rkrWQvOila8W7+OqYFxnlAXIyeHhICJRP+xpywQtpjEhXvr
	2UBsIYEbjBLLVnN2MXIB2W2MEq9bp7JBFM1ilfjyORWiqEBi3rJ+VhCbV0BQ4uTMJywQcU+J
	l00zmLoYOTjYBDQl7v8XAwmzCKhIHNs6kQWiPEDi8cMF7CC2MJB98tACZhBbRMBLYuK/pYwg
	NrOAjsS7vgfMEGsTJJpO3GacwMg/C8m2WUjKFjAyrWKULE4zMMytMNQrTk0uLcosqUzLTy4t
	1kvOz93ECAyrAysq5Hcwvr6ge4hRgINRiYe3IOGbvxBrYllxZe4hRkkOJiVR3jkG3/2F+JLy
	UyozEosz4otKc1KLDzFKcDArifC2fwAq501JrKxKLcqHSclwcChJ8PaZArUJFqWmp1akZeYA
	owcmzcTBCdLOA9Q+B6SGt7ggMbc4Mx0if4rRmOPZ2yM3GDmm9Zy4wSjEkpeflyolzusKUioA
	UppRmgc3DRTf9f///7/EKCslzMvIwMAgxFOQWpSbWYKQB6WHV4ziQO8J884EmcKTmVcCt+8V
	0ClMQKekzQD5pLgkESEl1cDIEMg/R7qhUuTJ2br0nq3Msq8DHFXyl7nET1rxgkdq3TX9VxL5
	mQ3715s3lzgz2kycdyWykPd7j8Em1qV/5F+Jndq2yiqMmVHyWlRd6791hgnzzhq/XVIk5lje
	edVA86LW3PLSEKvezb7tT3u8zu5RZpz0bPpbnfO7pitsWnv7Wu6iKZLzBLmUWIozEg21mIuK
	EwEbS7AR6gIAAA==
Return-Path: bugtraq-return-49600-jason=rga.com@...urityfocus.com
X-MS-Exchange-Organization-OriginalArrivalTime: 09 Jul 2012 15:59:03.5755 (UTC)
X-MS-Exchange-Organization-AuthSource: chewbacca.ny.rga.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 10
X-MS-Exchange-Organization-OriginalSize: 6213
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Forest-RulesExecuted: chewbacca

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note the
"Users affected", "Versions affected", and "Mitigation" sections.

The project team will be announcing a release vote shortly for Apache Hadoop
2.0.1-alpha, which will be comprised of the contents of Apache Hadoop
2.0.0-alpha, this security patch, and a few patches for YARN.

Best,
Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-3376: Apache Hadoop HDFS information disclosure vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Hadoop 2.0.0-alpha

Users affected:
Users who have enabled Hadoop's Kerberos/HDFS security features.

Impact:
Malicious clients may gain write access to data for which they have read-only
permission, or gain read access to any data blocks whose IDs they can
determine.

Description:
When Hadoop's security features are enabled, clients authenticate to DataNodes
using BlockTokens issued by the NameNode to the client. The DataNodes are able
to verify the validity of a BlockToken, and will reject BlockTokens that were
not issued by the NameNode. The DataNode determines whether or not it should
check for BlockTokens when it registers with the NameNode.

Due to a bug in the DataNode/NameNode registration process, a DataNode which
registers more than once for the same block pool will conclude that it
thereafter no longer needs to check for BlockTokens sent by clients. That is,
the client will continue to send BlockTokens as part of its communication with
DataNodes, but the DataNodes will not check the validity of the tokens. A
DataNode will register more than once for the same block pool whenever the
NameNode restarts, or when HA is enabled.

Mitigation:
Users of 2.0.0-alpha should immediately apply the patch provided below to their
systems. Users should upgrade to 2.0.1-alpha as soon as it becomes available.

Credit: This issue was discovered by Aaron T. Myers of Cloudera.

A signed patch against Apache Hadoop 2.0.0-alpha for this issue can be found
here: https://people.apache.org/~atm/cve-2012-3376/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJP9xp7AAoJECEaGfB4kTjfGWMH/2fXnrngfpQL+d1QLG3wDOPn
OAJK3Tj/JrII1ETCguI6DOjpQaRrnzSvyCdWOHApbGG6LxwSvTlwEBPUR8SMZFxY
TA13eJPz21ZXtXZ9oGvg1BMw+wRwfmem0Sl508c8kJpSfHXD4W89wyG/5Z+1pz5d
s0aHUMVj5YT32yH45Tp192nB5d4XQ7gdUmCLB4HF8fxrrIH2jWU0NX63DT6dXE5w
DUqKq6nTFDHnuTA1IO0B8OAVGv2M/kq8P3Fi+pnVvVao+ttkWIK1z7Ts11gfL7d0
/rE4VgZ7Cwc2o1Fx8s1LCKKLIDrO15aULOSbEa9nl6yQywEEjn2h6cKXHv6RUHM=
=wrvr
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ