Aaron T. Myers
Software Engineer, Cloudera
CVE-2012-1574: Apache Hadoop user impersonation vulnerability
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.
Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
features.
Impact: Vulnerability allows an authenticated malicious user to impersonate
any other user on the cluster.
Mitigation:
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available
Credit:
This issue was discovered by Aaron T. Myers of Cloudera.