[Full-disclosure] [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
- From: "Aaron T. Myers" <atm@xxxxxxxxxxxx>
- Date: Thu, 5 Apr 2012 19:31:33 -0700
Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note
the "Users affected", "Versions affected", and "Mitigation" sections.
Aaron T. Myers
Software Engineer, Cloudera
CVE-2012-1574: Apache Hadoop user impersonation vulnerability
Vendor: The Apache Software Foundation
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.
Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
Impact: Vulnerability allows an authenticated malicious user to impersonate
any other user on the cluster.
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available
This issue was discovered by Aaron T. Myers of Cloudera.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] mac trojan
- Next by Date: Re: [Full-disclosure] [funsec] mac trojan
- Previous by thread: [Full-disclosure] Sagan 0.2.1 [Security Event/Log Analyzer] Released.
- Next by thread: [Full-disclosure] Shakacon CFP - Extended Deadline: April 13, 2012