Home page logo

bugtraq logo Bugtraq mailing list archives

[CVE-2012-1574] Apache Hadoop user impersonation vulnerability
From: "Aaron T. Myers" <atm () cloudera com>
Date: Thu, 5 Apr 2012 19:35:35 -0700


Users of Apache Hadoop should be aware of a security vulnerability
recently discovered, as described by the following CVE. In particular,
please note the "Users affected", "Versions affected", and
"Mitigation" sections.


Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-1574: Apache Hadoop user impersonation vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop,, and
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.

Users affected: Users who have enabled Hadoop's Kerberos/MapReduce
security features.

Impact: Vulnerability allows an authenticated malicious user to
impersonate any other user on the cluster.

0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available

This issue was discovered by Aaron T. Myers of Cloudera.

  By Date           By Thread  

Current thread:
  • [CVE-2012-1574] Apache Hadoop user impersonation vulnerability Aaron T. Myers (Apr 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]