Re: [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS

Thu, 22 Feb 2018 14:32:04 -0800 

Hi Knox experts, 

I have my environment running with Knox 0.12.0 already but I am still getting 
the same impersonate warning messages as shown below - 

"2018-02-22 21:14:39,671 WARN  hadoop.gateway 
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(199))
 - Possible identity spoofing attempt - impersonation parameter removed: 
user.name”

The way I produce this first I make a request to create a file - 

        url='https://' + hostip + 
':8443/gateway/default/webhdfs/v1/user/clsadmin/test/' + filetag + '_' + 
str(num) + '.txt?op=CREATE&overwrite=true'
        req=requests.put(url,verify=False,auth=(user,pwd),allow_redirects=False)
The above put request will not trigger any warning messages like that. 

then I have the following request to put some data into the file - 

        location=req.headers['Location']
        with open(dataFile) as mydata:
        newreq=requests.put(location,verify=False,auth=(user, pwd), data=mydata)

This second request will trigger the warning message mentioned above.  

Is this an issue? or what’s the recommended approach to avoid the warning? 

Thanks a lot! 

- Yongli 

On 2017/05/26 18:26:44, larry mccay <[email protected]> wrote: 
> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS> 
> 
> Severity: Important> 
> 
> Vendor:> 
> The Apache Software Foundation> 
> 
> Versions Affected:> 
>     All versions of Apache Knox prior to 0.12.0> 
> 
> An authenticated user may use a specially crafted URL to impersonate another> 
> user while accessing WebHDFS through Apache Knox. This may result in> 
> escalated> 
> privileges and unauthorized data access. While this activity is audit logged> 
> and can be easily associated with the authenticated user, this is still a> 
> serious security issue.> 
> 
> Mitigation:> 
>   All users are recommended to upgrade to Apache Knox 0.12.0,> 
>   where validation, scrubbing and logging of such attempts has been added.> 
> 
> The Apache Knox 0.12.0 release can be downloaded from:> 
> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip> 
> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip> 
>  


Best regards, 
Yongli An

Reply via email to