Apache Hadoop HDFS Information Disclosure

2012.07.10
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Users of Apache Hadoop should be aware of a security vulnerability recently discovered, as described by the following CVE. In particular, please note the "Users affected", "Versions affected", and "Mitigation" sections. The project team will be announcing a release vote shortly for Apache Hadoop 2.0.1-alpha, which will be comprised of the contents of Apache Hadoop 2.0.0-alpha, this security patch, and a few patches for YARN. Best, Aaron T. Myers Software Engineer, Cloudera CVE-2012-3376: Apache Hadoop HDFS information disclosure vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Hadoop 2.0.0-alpha Users affected: Users who have enabled Hadoop's Kerberos/HDFS security features. Impact: Malicious clients may gain write access to data for which they have read-only permission, or gain read access to any data blocks whose IDs they can determine. Description: When Hadoop's security features are enabled, clients authenticate to DataNodes using BlockTokens issued by the NameNode to the client. The DataNodes are able to verify the validity of a BlockToken, and will reject BlockTokens that were not issued by the NameNode. The DataNode determines whether or not it should check for BlockTokens when it registers with the NameNode. Due to a bug in the DataNode/NameNode registration process, a DataNode which registers more than once for the same block pool will conclude that it thereafter no longer needs to check for BlockTokens sent by clients. That is, the client will continue to send BlockTokens as part of its communication with DataNodes, but the DataNodes will not check the validity of the tokens. A DataNode will register more than once for the same block pool whenever the NameNode restarts, or when HA is enabled. Mitigation: Users of 2.0.0-alpha should immediately apply the patch provided below to their systems. Users should upgrade to 2.0.1-alpha as soon as it becomes available. Credit: This issue was discovered by Aaron T. Myers of Cloudera. A signed patch against Apache Hadoop 2.0.0-alpha for this issue can be found here: https://people.apache.org/~atm/cve-2012-3376/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJP9xp7AAoJECEaGfB4kTjfGWMH/2fXnrngfpQL+d1QLG3wDOPn OAJK3Tj/JrII1ETCguI6DOjpQaRrnzSvyCdWOHApbGG6LxwSvTlwEBPUR8SMZFxY TA13eJPz21ZXtXZ9oGvg1BMw+wRwfmem0Sl508c8kJpSfHXD4W89wyG/5Z+1pz5d s0aHUMVj5YT32yH45Tp192nB5d4XQ7gdUmCLB4HF8fxrrIH2jWU0NX63DT6dXE5w DUqKq6nTFDHnuTA1IO0B8OAVGv2M/kq8P3Fi+pnVvVao+ttkWIK1z7Ts11gfL7d0 /rE4VgZ7Cwc2o1Fx8s1LCKKLIDrO15aULOSbEa9nl6yQywEEjn2h6cKXHv6RUHM= =wrvr -----END PGP SIGNATURE-----

References:

http://packetstormsecurity.org/files/114570/CVE-2012-3376.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top