I received off list communication that the fix is here: https://github.com/apache/hadoop-common/commit/fda454
Thank you, this is the missing disclosure we were looking for. I did not go so far back in time as >~ 21 days because the announcement was made today, so missed it. So there is additional mitigation possible, for example, a user can patch task-controller quite readily and roll out an emergency upgrade. Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White) ----- Original Message ----- > From: Andrew Purtell <[email protected]> > To: "[email protected]" <[email protected]>; > "[email protected]" <[email protected]> > Cc: > Sent: Friday, April 6, 2012 10:02 AM > Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability > >T his is not a helpful disclosure. > > Now we know our "secure" deployment is vulnerable, but have no idea > how to mitigate. Claiming an upgrade to a nonexistent version with an, > apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA > for > this? > > Best regards, > > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein (via > Tom White) > > > > ----- Original Message ----- >> From: Aaron T. Myers <[email protected]> >> To: [email protected]; [email protected]; > [email protected]; [email protected] >> Cc: >> Sent: Thursday, April 5, 2012 7:31 PM >> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability >> >> Hello, >> >> Users of Apache Hadoop should be aware of a security vulnerability recently >> discovered, as described by the following CVE. In particular, please note >> the "Users affected", "Versions affected", and >> "Mitigation" sections. >> >> Best, >> Aaron >> >> -- >> Aaron T. Myers >> Software Engineer, Cloudera >> >> CVE-2012-1574: Apache Hadoop user impersonation vulnerability >> >> Severity: Critical >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0 >> Hadoop 1.0.0 to 1.0.1 >> Hadoop 0.23.0 to 0.23.1. >> >> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce > security >> features. >> >> Impact: Vulnerability allows an authenticated malicious user to impersonate >> any other user on the cluster. >> >> Mitigation: >> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2 >> 0.23.x users should upgrade to 0.23.2 when it becomes available >> >> Credit: >> This issue was discovered by Aaron T. Myers of Cloudera. >> >
