CVE-2013-2192
First published: Mon Aug 26 2013(Updated: )
It was reported [1] that: "The Apache Hadoop RPC protocol is intended to provide bidirectional authentication between clients and servers. However, a malicious server or network attacker can unilaterally disable these authentication checks. This allows for potential reduction in the configured quality of protection of the RPC traffic, and privilege escalation if authentication credentials are passed over RPC." This flaw only affects users who have enabled Hadoop's kerberos security features. This is corrected in upstream versions 0.23.9, 1.2.1, and 2.0.6-alpha. [1] <a href="http://seclists.org/fulldisclosure/2013/Aug/251">http://seclists.org/fulldisclosure/2013/Aug/251</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Hadoop | <0.23.9 | 0.23.9 |
| redhat/Hadoop | <1.2.1 | 1.2.1 |
| Apache Hadoop | =0.23.0 | |
| Apache Hadoop | =0.23.1 | |
| Apache Hadoop | =0.23.3 | |
| Apache Hadoop | =0.23.4 | |
| Apache Hadoop | =0.23.5 | |
| Apache Hadoop | =0.23.6 | |
| Apache Hadoop | =0.23.7 | |
| Apache Hadoop | =0.23.8 | |
| Apache Hadoop | =1.0.0 | |
| Apache Hadoop | =1.0.1 | |
| Apache Hadoop | =1.0.2 | |
| Apache Hadoop | =1.0.3 | |
| Apache Hadoop | =1.0.4 | |
| Apache Hadoop | =1.1.0 | |
| Apache Hadoop | =1.1.1 | |
| Apache Hadoop | =1.1.2 | |
| Apache Hadoop | =1.2.0 | |
| Apache Hadoop | =2.0.0-alpha | |
| Apache Hadoop | =2.0.1-alpha | |
| Apache Hadoop | =2.0.2-alpha | |
| Apache Hadoop | =2.0.3-alpha | |
| Apache Hadoop | =2.0.4-alpha | |
| Apache Hadoop | =2.0.5-alpha |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2014-0037.html
- http://rhn.redhat.com/errata/RHSA-2014-0400.html
- http://seclists.org/fulldisclosure/2013/Aug/251
- http://secunia.com/advisories/57915
- https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
- http://svn.apache.org/viewvc?view=revision&revision=r1500336
- https://rhn.redhat.com/errata/RHSA-2014-0037.html
- https://rhn.redhat.com/errata/RHSA-2014-0401.html
- https://rhn.redhat.com/errata/RHSA-2014-0400.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1001326
Frequently Asked Questions
What is the severity of CVE-2013-2192?
CVE-2013-2192 has a moderate severity level due to its potential impact on authentication mechanisms in Apache Hadoop.
How do I fix CVE-2013-2192?
To fix CVE-2013-2192, upgrade to Hadoop version 0.23.10 or later or 1.2.2 or later.
What systems are affected by CVE-2013-2192?
CVE-2013-2192 affects various versions of Apache Hadoop, specifically versions prior to 0.23.10 and 1.2.2.
What type of attack can exploit CVE-2013-2192?
CVE-2013-2192 can be exploited by a malicious server or network attacker who can disable authentication checks.
Is CVE-2013-2192 related to data confidentiality?
Yes, CVE-2013-2192 could potentially compromise data confidentiality by undermining the authentication process.
- collector/redhat-bugzilla
- alias/CVE-2013-2192
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/source
- package-manager/redhat
- vendor/apache
- canonical/apache hadoop
- version/apache hadoop/0.23.0
- version/apache hadoop/0.23.1
- version/apache hadoop/0.23.3
- version/apache hadoop/0.23.4
- version/apache hadoop/0.23.5
- version/apache hadoop/0.23.6
- version/apache hadoop/0.23.7
- version/apache hadoop/0.23.8
- version/apache hadoop/1.0.0
- version/apache hadoop/1.0.1
- version/apache hadoop/1.0.2
- version/apache hadoop/1.0.3
- version/apache hadoop/1.0.4
- version/apache hadoop/1.1.0
- version/apache hadoop/1.1.1
- version/apache hadoop/1.1.2
- version/apache hadoop/1.2.0
- version/apache hadoop/2.0.0-alpha
- version/apache hadoop/2.0.1-alpha
- version/apache hadoop/2.0.2-alpha
- version/apache hadoop/2.0.3-alpha
- version/apache hadoop/2.0.4-alpha
- version/apache hadoop/2.0.5-alpha