If you're not running MapReduce, you're safe. -Joey
On Fri, Apr 6, 2012 at 10:30 AM, Andrew Purtell <[email protected]> wrote: > Thanks. > > > The problem with that disclosure as written is it provided no information as > the the nature of the vulnerability. And, as you mention, the CVE is 404. > >> "Users affected: Users who have enabled Hadoop's Kerberos/MapReduce >> security features." > > Well, we have enabled Hadoop's Kerberos security features. The additional > qualification of "MapReduce" is there but there is insufficient context. So a > broad reading is required. > >> "Impact: Vulnerability allows an authenticated malicious user to >> impersonate any other user on the cluster." > > The implication given the lack of information is that Hadoop's Kerberos based > authentication is worthless. > > Thankfully that is not the case, and HBase is not affected. > > Best regards, > > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein (via > Tom White) > > > > ----- Original Message ----- >> From: Joey Echeverria <[email protected]> >> To: [email protected]; Andrew Purtell <[email protected]> >> Cc: >> Sent: Friday, April 6, 2012 10:19 AM >> Subject: Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation >> vulnerability >> >> I'm not sure why the CVE isn't published yet, but the details are >> available here: >> >> https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin >> >> -Joey >> >> On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <[email protected]> >> wrote: >>> Failed to CC dev@, my apologies. >>> >>> >>> >>> ----- Forwarded Message ----- >>> >>>> From: Andrew Purtell <[email protected]> >>>> To: "[email protected]" <[email protected]> >>>> Cc: >>>> Sent: Friday, April 6, 2012 10:11 AM >>>> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation >> vulnerability >>>> >>>> Details of the below vulnerability have not been released. >>>> >>>> Given that HBase security has as its foundation Apache Hadoop >> authentication, at >>>> this time we must assume any secure HBase deployment is equally >> vulnerable. >>>> >>>> I will update you when more information is available. >>>> >>>> >>>> Best regards, >>>> >>>> >>>> - Andy >>>> >>>> Problems worthy of attack prove their worth by hitting back. - Piet >> Hein (via >>>> Tom White) >>>> >>>> >>>> >>>> ----- Forwarded Message ----- >>>>> From: Aaron T. Myers <[email protected]> >>>>> To: [email protected]; [email protected]; >>>> [email protected]; [email protected] >>>>> Cc: >>>>> Sent: Thursday, April 5, 2012 7:31 PM >>>>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation >> vulnerability >>>>> >>>>> Hello, >>>>> >>>>> Users of Apache Hadoop should be aware of a security vulnerability >> recently >>>>> discovered, as described by the following CVE. In particular, >> please note >>>>> the "Users affected", "Versions affected", and >>>>> "Mitigation" sections. >>>>> >>>>> Best, >>>>> Aaron >>>>> >>>>> -- >>>>> Aaron T. Myers >>>>> Software Engineer, Cloudera >>>>> >>>>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability >>>>> >>>>> Severity: Critical >>>>> >>>>> Vendor: The Apache Software Foundation >>>>> >>>>> Versions Affected: >>>>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0 >>>>> Hadoop 1.0.0 to 1.0.1 >>>>> Hadoop 0.23.0 to 0.23.1. >>>>> >>>>> Users affected: Users who have enabled Hadoop's >> Kerberos/MapReduce >>>> security >>>>> features. >>>>> >>>>> Impact: Vulnerability allows an authenticated malicious user to >> impersonate >>>>> any other user on the cluster. >>>>> >>>>> Mitigation: >>>>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2 >>>>> 0.23.x users should upgrade to 0.23.2 when it becomes available >>>>> >>>>> Credit: >>>>> This issue was discovered by Aaron T. Myers of Cloudera. >>>>> >>>> >> >> >> >> -- >> Joey Echeverria >> Senior Solutions Architect >> Cloudera, Inc. >> -- Joey Echeverria Senior Solutions Architect Cloudera, Inc.
