First published: Mon Aug 26 2013(Updated: )
It was reported [1] that: "The Apache Hadoop RPC protocol is intended to provide bidirectional authentication between clients and servers. However, a malicious server or network attacker can unilaterally disable these authentication checks. This allows for potential reduction in the configured quality of protection of the RPC traffic, and privilege escalation if authentication credentials are passed over RPC." This flaw only affects users who have enabled Hadoop's kerberos security features. This is corrected in upstream versions 0.23.9, 1.2.1, and 2.0.6-alpha. [1] <a href="http://seclists.org/fulldisclosure/2013/Aug/251">http://seclists.org/fulldisclosure/2013/Aug/251</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/Hadoop | <0.23.9 | 0.23.9 |
redhat/Hadoop | <1.2.1 | 1.2.1 |
Apache Hadoop | =0.23.0 | |
Apache Hadoop | =0.23.1 | |
Apache Hadoop | =0.23.3 | |
Apache Hadoop | =0.23.4 | |
Apache Hadoop | =0.23.5 | |
Apache Hadoop | =0.23.6 | |
Apache Hadoop | =0.23.7 | |
Apache Hadoop | =0.23.8 | |
Apache Hadoop | =1.0.0 | |
Apache Hadoop | =1.0.1 | |
Apache Hadoop | =1.0.2 | |
Apache Hadoop | =1.0.3 | |
Apache Hadoop | =1.0.4 | |
Apache Hadoop | =1.1.0 | |
Apache Hadoop | =1.1.1 | |
Apache Hadoop | =1.1.2 | |
Apache Hadoop | =1.2.0 | |
Apache Hadoop | =2.0.0-alpha | |
Apache Hadoop | =2.0.1-alpha | |
Apache Hadoop | =2.0.2-alpha | |
Apache Hadoop | =2.0.3-alpha | |
Apache Hadoop | =2.0.4-alpha | |
Apache Hadoop | =2.0.5-alpha |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.