I'm not sure why the CVE isn't published yet, but the details are available here:
https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin -Joey On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <[email protected]> wrote: > Failed to CC dev@, my apologies. > > > > ----- Forwarded Message ----- > >> From: Andrew Purtell <[email protected]> >> To: "[email protected]" <[email protected]> >> Cc: >> Sent: Friday, April 6, 2012 10:11 AM >> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability >> >> Details of the below vulnerability have not been released. >> >> Given that HBase security has as its foundation Apache Hadoop >> authentication, at >> this time we must assume any secure HBase deployment is equally vulnerable. >> >> I will update you when more information is available. >> >> >> Best regards, >> >> >> - Andy >> >> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via >> Tom White) >> >> >> >> ----- Forwarded Message ----- >>> From: Aaron T. Myers <[email protected]> >>> To: [email protected]; [email protected]; >> [email protected]; [email protected] >>> Cc: >>> Sent: Thursday, April 5, 2012 7:31 PM >>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability >>> >>> Hello, >>> >>> Users of Apache Hadoop should be aware of a security vulnerability recently >>> discovered, as described by the following CVE. In particular, please note >>> the "Users affected", "Versions affected", and >>> "Mitigation" sections. >>> >>> Best, >>> Aaron >>> >>> -- >>> Aaron T. Myers >>> Software Engineer, Cloudera >>> >>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability >>> >>> Severity: Critical >>> >>> Vendor: The Apache Software Foundation >>> >>> Versions Affected: >>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0 >>> Hadoop 1.0.0 to 1.0.1 >>> Hadoop 0.23.0 to 0.23.1. >>> >>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce >> security >>> features. >>> >>> Impact: Vulnerability allows an authenticated malicious user to impersonate >>> any other user on the cluster. >>> >>> Mitigation: >>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2 >>> 0.23.x users should upgrade to 0.23.2 when it becomes available >>> >>> Credit: >>> This issue was discovered by Aaron T. Myers of Cloudera. >>> >> -- Joey Echeverria Senior Solutions Architect Cloudera, Inc.
