You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@hadoop.apache.org by "Aaron T. Myers" <at...@cloudera.com> on 2012/04/06 04:31:33 UTC
[CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Hello,
Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note
the "Users affected", "Versions affected", and "Mitigation" sections.
Best,
Aaron
--
Aaron T. Myers
Software Engineer, Cloudera
CVE-2012-1574: Apache Hadoop user impersonation vulnerability
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.
Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
features.
Impact: Vulnerability allows an authenticated malicious user to impersonate
any other user on the cluster.
Mitigation:
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available
Credit:
This issue was discovered by Aaron T. Myers of Cloudera.
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Joey Echeverria <jo...@cloudera.com>.
I don't know when the CVE will be published, but there are details
available here:
https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin
-Joey
On Fri, Apr 6, 2012 at 10:11 AM, Andrew Purtell <ap...@apache.org> wrote:
> Details of the below vulnerability have not been released.
>
> Given that HBase security has as its foundation Apache Hadoop authentication, at this time we must assume any secure HBase deployment is equally vulnerable.
>
> I will update you when more information is available.
>
>
> Best regards,
>
>
> - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
>
>
>
> ----- Forwarded Message -----
>> From: Aaron T. Myers <at...@cloudera.com>
>> To: general@hadoop.apache.org; security@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>> Cc:
>> Sent: Thursday, April 5, 2012 7:31 PM
>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Hello,
>>
>> Users of Apache Hadoop should be aware of a security vulnerability recently
>> discovered, as described by the following CVE. In particular, please note
>> the "Users affected", "Versions affected", and
>> "Mitigation" sections.
>>
>> Best,
>> Aaron
>>
>> --
>> Aaron T. Myers
>> Software Engineer, Cloudera
>>
>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>> Severity: Critical
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>> Hadoop 1.0.0 to 1.0.1
>> Hadoop 0.23.0 to 0.23.1.
>>
>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
>> features.
>>
>> Impact: Vulnerability allows an authenticated malicious user to impersonate
>> any other user on the cluster.
>>
>> Mitigation:
>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>> Credit:
>> This issue was discovered by Aaron T. Myers of Cloudera.
>>
--
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Joey Echeverria <jo...@cloudera.com>.
If you're not running MapReduce, you're safe.
-Joey
On Fri, Apr 6, 2012 at 10:30 AM, Andrew Purtell <ap...@apache.org> wrote:
> Thanks.
>
>
> The problem with that disclosure as written is it provided no information as the the nature of the vulnerability. And, as you mention, the CVE is 404.
>
>> "Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security features."
>
> Well, we have enabled Hadoop's Kerberos security features. The additional qualification of "MapReduce" is there but there is insufficient context. So a broad reading is required.
>
>> "Impact: Vulnerability allows an authenticated malicious user to impersonate any other user on the cluster."
>
> The implication given the lack of information is that Hadoop's Kerberos based authentication is worthless.
>
> Thankfully that is not the case, and HBase is not affected.
>
> Best regards,
>
>
> - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
>
>
>
> ----- Original Message -----
>> From: Joey Echeverria <jo...@cloudera.com>
>> To: dev@hbase.apache.org; Andrew Purtell <ap...@apache.org>
>> Cc:
>> Sent: Friday, April 6, 2012 10:19 AM
>> Subject: Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> I'm not sure why the CVE isn't published yet, but the details are
>> available here:
>>
>> https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin
>>
>> -Joey
>>
>> On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <ap...@apache.org>
>> wrote:
>>> Failed to CC dev@, my apologies.
>>>
>>>
>>>
>>> ----- Forwarded Message -----
>>>
>>>> From: Andrew Purtell <ap...@apache.org>
>>>> To: "user@hbase.apache.org" <us...@hbase.apache.org>
>>>> Cc:
>>>> Sent: Friday, April 6, 2012 10:11 AM
>>>> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation
>> vulnerability
>>>>
>>>> Details of the below vulnerability have not been released.
>>>>
>>>> Given that HBase security has as its foundation Apache Hadoop
>> authentication, at
>>>> this time we must assume any secure HBase deployment is equally
>> vulnerable.
>>>>
>>>> I will update you when more information is available.
>>>>
>>>>
>>>> Best regards,
>>>>
>>>>
>>>> - Andy
>>>>
>>>> Problems worthy of attack prove their worth by hitting back. - Piet
>> Hein (via
>>>> Tom White)
>>>>
>>>>
>>>>
>>>> ----- Forwarded Message -----
>>>>> From: Aaron T. Myers <at...@cloudera.com>
>>>>> To: general@hadoop.apache.org; security@apache.org;
>>>> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>>>> Cc:
>>>>> Sent: Thursday, April 5, 2012 7:31 PM
>>>>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation
>> vulnerability
>>>>>
>>>>> Hello,
>>>>>
>>>>> Users of Apache Hadoop should be aware of a security vulnerability
>> recently
>>>>> discovered, as described by the following CVE. In particular,
>> please note
>>>>> the "Users affected", "Versions affected", and
>>>>> "Mitigation" sections.
>>>>>
>>>>> Best,
>>>>> Aaron
>>>>>
>>>>> --
>>>>> Aaron T. Myers
>>>>> Software Engineer, Cloudera
>>>>>
>>>>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>>>
>>>>> Severity: Critical
>>>>>
>>>>> Vendor: The Apache Software Foundation
>>>>>
>>>>> Versions Affected:
>>>>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>>>> Hadoop 1.0.0 to 1.0.1
>>>>> Hadoop 0.23.0 to 0.23.1.
>>>>>
>>>>> Users affected: Users who have enabled Hadoop's
>> Kerberos/MapReduce
>>>> security
>>>>> features.
>>>>>
>>>>> Impact: Vulnerability allows an authenticated malicious user to
>> impersonate
>>>>> any other user on the cluster.
>>>>>
>>>>> Mitigation:
>>>>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>>>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>>>>
>>>>> Credit:
>>>>> This issue was discovered by Aaron T. Myers of Cloudera.
>>>>>
>>>>
>>
>>
>>
>> --
>> Joey Echeverria
>> Senior Solutions Architect
>> Cloudera, Inc.
>>
--
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@apache.org>.
Thanks.
The problem with that disclosure as written is it provided no information as the the nature of the vulnerability. And, as you mention, the CVE is 404.
> "Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security features."
Well, we have enabled Hadoop's Kerberos security features. The additional qualification of "MapReduce" is there but there is insufficient context. So a broad reading is required.
> "Impact: Vulnerability allows an authenticated malicious user to impersonate any other user on the cluster."
The implication given the lack of information is that Hadoop's Kerberos based authentication is worthless.
Thankfully that is not the case, and HBase is not affected.
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
----- Original Message -----
> From: Joey Echeverria <jo...@cloudera.com>
> To: dev@hbase.apache.org; Andrew Purtell <ap...@apache.org>
> Cc:
> Sent: Friday, April 6, 2012 10:19 AM
> Subject: Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
> I'm not sure why the CVE isn't published yet, but the details are
> available here:
>
> https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin
>
> -Joey
>
> On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <ap...@apache.org>
> wrote:
>> Failed to CC dev@, my apologies.
>>
>>
>>
>> ----- Forwarded Message -----
>>
>>> From: Andrew Purtell <ap...@apache.org>
>>> To: "user@hbase.apache.org" <us...@hbase.apache.org>
>>> Cc:
>>> Sent: Friday, April 6, 2012 10:11 AM
>>> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation
> vulnerability
>>>
>>> Details of the below vulnerability have not been released.
>>>
>>> Given that HBase security has as its foundation Apache Hadoop
> authentication, at
>>> this time we must assume any secure HBase deployment is equally
> vulnerable.
>>>
>>> I will update you when more information is available.
>>>
>>>
>>> Best regards,
>>>
>>>
>>> - Andy
>>>
>>> Problems worthy of attack prove their worth by hitting back. - Piet
> Hein (via
>>> Tom White)
>>>
>>>
>>>
>>> ----- Forwarded Message -----
>>>> From: Aaron T. Myers <at...@cloudera.com>
>>>> To: general@hadoop.apache.org; security@apache.org;
>>> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>>> Cc:
>>>> Sent: Thursday, April 5, 2012 7:31 PM
>>>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation
> vulnerability
>>>>
>>>> Hello,
>>>>
>>>> Users of Apache Hadoop should be aware of a security vulnerability
> recently
>>>> discovered, as described by the following CVE. In particular,
> please note
>>>> the "Users affected", "Versions affected", and
>>>> "Mitigation" sections.
>>>>
>>>> Best,
>>>> Aaron
>>>>
>>>> --
>>>> Aaron T. Myers
>>>> Software Engineer, Cloudera
>>>>
>>>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>>
>>>> Severity: Critical
>>>>
>>>> Vendor: The Apache Software Foundation
>>>>
>>>> Versions Affected:
>>>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>>> Hadoop 1.0.0 to 1.0.1
>>>> Hadoop 0.23.0 to 0.23.1.
>>>>
>>>> Users affected: Users who have enabled Hadoop's
> Kerberos/MapReduce
>>> security
>>>> features.
>>>>
>>>> Impact: Vulnerability allows an authenticated malicious user to
> impersonate
>>>> any other user on the cluster.
>>>>
>>>> Mitigation:
>>>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>>>
>>>> Credit:
>>>> This issue was discovered by Aaron T. Myers of Cloudera.
>>>>
>>>
>
>
>
> --
> Joey Echeverria
> Senior Solutions Architect
> Cloudera, Inc.
>
Re: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Joey Echeverria <jo...@cloudera.com>.
I'm not sure why the CVE isn't published yet, but the details are
available here:
https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin
-Joey
On Fri, Apr 6, 2012 at 10:12 AM, Andrew Purtell <ap...@apache.org> wrote:
> Failed to CC dev@, my apologies.
>
>
>
> ----- Forwarded Message -----
>
>> From: Andrew Purtell <ap...@apache.org>
>> To: "user@hbase.apache.org" <us...@hbase.apache.org>
>> Cc:
>> Sent: Friday, April 6, 2012 10:11 AM
>> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Details of the below vulnerability have not been released.
>>
>> Given that HBase security has as its foundation Apache Hadoop authentication, at
>> this time we must assume any secure HBase deployment is equally vulnerable.
>>
>> I will update you when more information is available.
>>
>>
>> Best regards,
>>
>>
>> - Andy
>>
>> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
>> Tom White)
>>
>>
>>
>> ----- Forwarded Message -----
>>> From: Aaron T. Myers <at...@cloudera.com>
>>> To: general@hadoop.apache.org; security@apache.org;
>> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Cc:
>>> Sent: Thursday, April 5, 2012 7:31 PM
>>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>>
>>> Hello,
>>>
>>> Users of Apache Hadoop should be aware of a security vulnerability recently
>>> discovered, as described by the following CVE. In particular, please note
>>> the "Users affected", "Versions affected", and
>>> "Mitigation" sections.
>>>
>>> Best,
>>> Aaron
>>>
>>> --
>>> Aaron T. Myers
>>> Software Engineer, Cloudera
>>>
>>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>>
>>> Severity: Critical
>>>
>>> Vendor: The Apache Software Foundation
>>>
>>> Versions Affected:
>>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>>> Hadoop 1.0.0 to 1.0.1
>>> Hadoop 0.23.0 to 0.23.1.
>>>
>>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
>> security
>>> features.
>>>
>>> Impact: Vulnerability allows an authenticated malicious user to impersonate
>>> any other user on the cluster.
>>>
>>> Mitigation:
>>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>>
>>> Credit:
>>> This issue was discovered by Aaron T. Myers of Cloudera.
>>>
>>
--
Joey Echeverria
Senior Solutions Architect
Cloudera, Inc.
Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@apache.org>.
Failed to CC dev@, my apologies.
----- Forwarded Message -----
> From: Andrew Purtell <ap...@apache.org>
> To: "user@hbase.apache.org" <us...@hbase.apache.org>
> Cc:
> Sent: Friday, April 6, 2012 10:11 AM
> Subject: Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
> Details of the below vulnerability have not been released.
>
> Given that HBase security has as its foundation Apache Hadoop authentication, at
> this time we must assume any secure HBase deployment is equally vulnerable.
>
> I will update you when more information is available.
>
>
> Best regards,
>
>
> - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
> Tom White)
>
>
>
> ----- Forwarded Message -----
>> From: Aaron T. Myers <at...@cloudera.com>
>> To: general@hadoop.apache.org; security@apache.org;
> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>> Cc:
>> Sent: Thursday, April 5, 2012 7:31 PM
>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Hello,
>>
>> Users of Apache Hadoop should be aware of a security vulnerability recently
>> discovered, as described by the following CVE. In particular, please note
>> the "Users affected", "Versions affected", and
>> "Mitigation" sections.
>>
>> Best,
>> Aaron
>>
>> --
>> Aaron T. Myers
>> Software Engineer, Cloudera
>>
>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>> Severity: Critical
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>> Hadoop 1.0.0 to 1.0.1
>> Hadoop 0.23.0 to 0.23.1.
>>
>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
> security
>> features.
>>
>> Impact: Vulnerability allows an authenticated malicious user to impersonate
>> any other user on the cluster.
>>
>> Mitigation:
>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>> Credit:
>> This issue was discovered by Aaron T. Myers of Cloudera.
>>
>
Fw: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@apache.org>.
Details of the below vulnerability have not been released.
Given that HBase security has as its foundation Apache Hadoop authentication, at this time we must assume any secure HBase deployment is equally vulnerable.
I will update you when more information is available.
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
----- Forwarded Message -----
> From: Aaron T. Myers <at...@cloudera.com>
> To: general@hadoop.apache.org; security@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Cc:
> Sent: Thursday, April 5, 2012 7:31 PM
> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
> Hello,
>
> Users of Apache Hadoop should be aware of a security vulnerability recently
> discovered, as described by the following CVE. In particular, please note
> the "Users affected", "Versions affected", and
> "Mitigation" sections.
>
> Best,
> Aaron
>
> --
> Aaron T. Myers
> Software Engineer, Cloudera
>
> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>
> Severity: Critical
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
> Hadoop 1.0.0 to 1.0.1
> Hadoop 0.23.0 to 0.23.1.
>
> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
> features.
>
> Impact: Vulnerability allows an authenticated malicious user to impersonate
> any other user on the cluster.
>
> Mitigation:
> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
> 0.23.x users should upgrade to 0.23.2 when it becomes available
>
> Credit:
> This issue was discovered by Aaron T. Myers of Cloudera.
>
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Eli Collins <el...@cloudera.com>.
Hey Andrew,
The project member were in the loop on the private Hadoop security
mailing list. This wasn't a vendor discussion.
We had a discussion about how much to disclose before sending out
this notification, and there were differing opinions. Agree that we
should disclose more information next time around, I'll push hard for
that next time.
Thanks,
Eli
On Fri, Apr 6, 2012 at 12:08 PM, Andrew Purtell <ap...@yahoo.com> wrote:
> Furthermore, I expect vendors were fully in the loop on some private mailing list. But here users get rather poor disclosure. Need I remind everyone that in open source, users are your peers? If one of your peers is running a customized version of your open source product in production, you must admit there was no actionable information in that disclosure.
>
> Best regards,
>
> - Andy
>
>
> On Apr 6, 2012, at 11:43 AM, Andrew Purtell <ap...@yahoo.com> wrote:
>
>>> I trust you understand the sensitivity of this issue, and the need to balance a desire to disclose the issue fully to all users with a desire to not publish exploits of the issue.
>>
>> I can understand that point of view. However,
>>
>> 1) This is open source, not binary only distribution. The patch for this particular issue as I understand it is already in the public change history of the project, just not clearly called out. So what are you actually hiding here?
>>
>> 2) The CVE was itself 404 when I sent the earlier email, so the only available detail was the announcement to security@, a Cloudera web page not referenced, and project change history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence of information the language of the disclosure implies that the Hadoop implementation of Kerberos authentication is worthless.
>>
>> Therefore I submit that next time more context is available in the disclosure announcement.
>>
>> Best regards,
>>
>> - Andy
>>
>>
>> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <at...@cloudera.com> wrote:
>>
>>> I trust you understand the sensitivity of this issue, and the need to
>>> balance a desire to disclose the issue fully to all users with a desire to
>>> not publish exploits of the issue.
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@yahoo.com>.
Furthermore, I expect vendors were fully in the loop on some private mailing list. But here users get rather poor disclosure. Need I remind everyone that in open source, users are your peers? If one of your peers is running a customized version of your open source product in production, you must admit there was no actionable information in that disclosure.
Best regards,
- Andy
On Apr 6, 2012, at 11:43 AM, Andrew Purtell <ap...@yahoo.com> wrote:
>> I trust you understand the sensitivity of this issue, and the need to balance a desire to disclose the issue fully to all users with a desire to not publish exploits of the issue.
>
> I can understand that point of view. However,
>
> 1) This is open source, not binary only distribution. The patch for this particular issue as I understand it is already in the public change history of the project, just not clearly called out. So what are you actually hiding here?
>
> 2) The CVE was itself 404 when I sent the earlier email, so the only available detail was the announcement to security@, a Cloudera web page not referenced, and project change history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence of information the language of the disclosure implies that the Hadoop implementation of Kerberos authentication is worthless.
>
> Therefore I submit that next time more context is available in the disclosure announcement.
>
> Best regards,
>
> - Andy
>
>
> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <at...@cloudera.com> wrote:
>
>> I trust you understand the sensitivity of this issue, and the need to
>> balance a desire to disclose the issue fully to all users with a desire to
>> not publish exploits of the issue.
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@yahoo.com>.
> I trust you understand the sensitivity of this issue, and the need to balance a desire to disclose the issue fully to all users with a desire to not publish exploits of the issue.
I can understand that point of view. However,
1) This is open source, not binary only distribution. The patch for this particular issue as I understand it is already in the public change history of the project, just not clearly called out. So what are you actually hiding here?
2) The CVE was itself 404 when I sent the earlier email, so the only available detail was the announcement to security@, a Cloudera web page not referenced, and project change history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence of information the language of the disclosure implies that the Hadoop implementation of Kerberos authentication is worthless.
Therefore I submit that next time more context is available in the disclosure announcement.
Best regards,
- Andy
On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <at...@cloudera.com> wrote:
> I trust you understand the sensitivity of this issue, and the need to
> balance a desire to disclose the issue fully to all users with a desire to
> not publish exploits of the issue.
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by "Aaron T. Myers" <at...@cloudera.com>.
Hi Andrew,
On Fri, Apr 6, 2012 at 10:02 AM, Andrew Purtell <ap...@apache.org> wrote:
> This is not a helpful disclosure.
>
It's certainly helpful for users of 0.20.20x. and 1.0.x, who can
immediately upgrade to 1.0.2, which was released yesterday. I agree it's
not very helpful for users of 0.23.x, but the assumption is that there are
far fewer of those than users of 0.20.20x and 1.0.x.
Now we know our "secure" deployment is vulnerable, but have no idea how to
> mitigate. Claiming an upgrade to a nonexistent version with an, apparently,
> uncommitted fix as a mitigation is not viable. Where is the JIRA for this?
>
Per the Apache security guidelines (
http://www.apache.org/security/committers.html), there is no up-stream JIRA.
I trust you understand the sensitivity of this issue, and the need to
balance a desire to disclose the issue fully to all users with a desire to
not publish exploits of the issue.
--
Aaron T. Myers
Software Engineer, Cloudera
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Owen O'Malley <om...@apache.org>.
On Apr 6, 2012, at 10:02 AM, Andrew Purtell wrote:
> This is not a helpful disclosure.
>
> Now we know our "secure" deployment is vulnerable, but have no idea how to mitigate. Claiming an upgrade to a nonexistent version with an, apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA for this?
*SIGH* You're right, we messed up. We waited for the stable line to be fixed with Hadoop 1.0.2, but we should have waited for the 0.23.2 vote to pass too. The bug is fixed in 0.23.2 rc 0.
-- Owen
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@apache.org>.
I received off list communication that the fix is here: https://github.com/apache/hadoop-common/commit/fda454
Thank you, this is the missing disclosure we were looking for.
I did not go so far back in time as >~ 21 days because the announcement was made today, so missed it.
So there is additional mitigation possible, for example, a user can patch task-controller quite readily and roll out an emergency upgrade.
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
----- Original Message -----
> From: Andrew Purtell <ap...@apache.org>
> To: "general@hadoop.apache.org" <ge...@hadoop.apache.org>; "security@apache.org" <se...@apache.org>
> Cc:
> Sent: Friday, April 6, 2012 10:02 AM
> Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
>T his is not a helpful disclosure.
>
> Now we know our "secure" deployment is vulnerable, but have no idea
> how to mitigate. Claiming an upgrade to a nonexistent version with an,
> apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA for
> this?
>
> Best regards,
>
>
> - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein (via
> Tom White)
>
>
>
> ----- Original Message -----
>> From: Aaron T. Myers <at...@cloudera.com>
>> To: general@hadoop.apache.org; security@apache.org;
> full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>> Cc:
>> Sent: Thursday, April 5, 2012 7:31 PM
>> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>>
>> Hello,
>>
>> Users of Apache Hadoop should be aware of a security vulnerability recently
>> discovered, as described by the following CVE. In particular, please note
>> the "Users affected", "Versions affected", and
>> "Mitigation" sections.
>>
>> Best,
>> Aaron
>>
>> --
>> Aaron T. Myers
>> Software Engineer, Cloudera
>>
>> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>>
>> Severity: Critical
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
>> Hadoop 1.0.0 to 1.0.1
>> Hadoop 0.23.0 to 0.23.1.
>>
>> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
> security
>> features.
>>
>> Impact: Vulnerability allows an authenticated malicious user to impersonate
>> any other user on the cluster.
>>
>> Mitigation:
>> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
>> 0.23.x users should upgrade to 0.23.2 when it becomes available
>>
>> Credit:
>> This issue was discovered by Aaron T. Myers of Cloudera.
>>
>
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Posted by Andrew Purtell <ap...@apache.org>.
This is not a helpful disclosure.
Now we know our "secure" deployment is vulnerable, but have no idea how to mitigate. Claiming an upgrade to a nonexistent version with an, apparently, uncommitted fix as a mitigation is not viable. Where is the JIRA for this?
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
----- Original Message -----
> From: Aaron T. Myers <at...@cloudera.com>
> To: general@hadoop.apache.org; security@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Cc:
> Sent: Thursday, April 5, 2012 7:31 PM
> Subject: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
>
> Hello,
>
> Users of Apache Hadoop should be aware of a security vulnerability recently
> discovered, as described by the following CVE. In particular, please note
> the "Users affected", "Versions affected", and
> "Mitigation" sections.
>
> Best,
> Aaron
>
> --
> Aaron T. Myers
> Software Engineer, Cloudera
>
> CVE-2012-1574: Apache Hadoop user impersonation vulnerability
>
> Severity: Critical
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
> Hadoop 1.0.0 to 1.0.1
> Hadoop 0.23.0 to 0.23.1.
>
> Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
> features.
>
> Impact: Vulnerability allows an authenticated malicious user to impersonate
> any other user on the cluster.
>
> Mitigation:
> 0.20.20x.x and 1.0.x users should upgrade to 1.0.2
> 0.23.x users should upgrade to 0.23.2 when it becomes available
>
> Credit:
> This issue was discovered by Aaron T. Myers of Cloudera.
>