This is not a helpful disclosure. Now we know our "secure" deployment is vulnerable, but have no idea how to mitigate. Claiming an upgrade to a nonexistent version with an, apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA for this?
Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White) ----- Original Message ----- > From: Aaron T. Myers <[email protected]> > To: [email protected]; [email protected]; > [email protected]; [email protected] > Cc: > Sent: Thursday, April 5, 2012 7:31 PM > Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability > > Hello, > > Users of Apache Hadoop should be aware of a security vulnerability recently > discovered, as described by the following CVE. In particular, please note > the "Users affected", "Versions affected", and > "Mitigation" sections. > > Best, > Aaron > > -- > Aaron T. Myers > Software Engineer, Cloudera > > CVE-2012-1574: Apache Hadoop user impersonation vulnerability > > Severity: Critical > > Vendor: The Apache Software Foundation > > Versions Affected: > Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0 > Hadoop 1.0.0 to 1.0.1 > Hadoop 0.23.0 to 0.23.1. > > Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security > features. > > Impact: Vulnerability allows an authenticated malicious user to impersonate > any other user on the cluster. > > Mitigation: > 0.20.20x.x and 1.0.x users should upgrade to 1.0.2 > 0.23.x users should upgrade to 0.23.2 when it becomes available > > Credit: > This issue was discovered by Aaron T. Myers of Cloudera. >
