CVE-2020-9492
First published: Tue Jan 26 2021(Updated: )
A flaw was found in Apache hadoop. The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/hadoop | <3.2.2 | 3.2.2 |
| redhat/hadoop | <3.1.4 | 3.1.4 |
| redhat/hadoop | <2.10.1 | 2.10.1 |
| Apache Hadoop | >=2.0.0<=2.10.0 | |
| Apache Hadoop | >=3.0.0<=3.1.3 | |
| Apache Hadoop | >=3.2.0<=3.2.1 | |
| Apache Solr | =8.6.0 | |
| Apache Solr | =8.6.2 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-9492 https://nvd.nist.gov/vuln/detail/CVE-2020-9492 https://hadoop.apache.org/cve_list.html https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-1065272
- https://bugzilla.redhat.com/show_bug.cgi?id=1925237
- https://access.redhat.com/errata/RHSA-2022:6407
- https://access.redhat.com/errata/RHSA-2022:5606
- https://access.redhat.com/security/cve/cve-2020-9492
- https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r6c2fa7949738e9d39606f1d7cd890c93a2633e3357c9aeaf886ea9a6@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r79201a209df9a4e7f761e537434131b4e39eabec4369a7d668904df4@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r79323adac584edab99fd5e4b52a013844b784a5d4b600da0662b33d6@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9328eb49305e4cacc80e182bfd8a2efd8e640d940e24f5bfd7d5cb26@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r941e9be04efe0f455d20aeac88516c0848decd7e7b1d93d5687060f4@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rb12afaa421d483863c4175e42e5dbd0673917a3cff73f3fca4f8275f@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rc0057ebf32b646ab47f7f5744a8948332e015c39044cbb9d87ea76cd@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/re4129c6b9e0410848bbd3761187ce9c19bc1cd491037b253007df99e@%3Cissues.solr.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210304-0001/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://github.com/apache/hadoop/commit/81d8a887b0406380e469c76ed2e41022a6372dd7
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-1065272
- https://hadoop.apache.org/cve_list.html
- https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
- https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r79323adac584edab99fd5e4b52a013844b784a5d4b600da0662b33d6%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r941e9be04efe0f455d20aeac88516c0848decd7e7b1d93d5687060f4%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rc0057ebf32b646ab47f7f5744a8948332e015c39044cbb9d87ea76cd%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r9328eb49305e4cacc80e182bfd8a2efd8e640d940e24f5bfd7d5cb26%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r6c2fa7949738e9d39606f1d7cd890c93a2633e3357c9aeaf886ea9a6%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/re4129c6b9e0410848bbd3761187ce9c19bc1cd491037b253007df99e%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r79201a209df9a4e7f761e537434131b4e39eabec4369a7d668904df4%40%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rb12afaa421d483863c4175e42e5dbd0673917a3cff73f3fca4f8275f%40%3Cissues.solr.apache.org%3E
Frequently Asked Questions
What is CVE-2020-9492?
CVE-2020-9492 is a vulnerability found in Apache Hadoop, which allows the WebHDFS client to send a SPNEGO authorization header to a remote URL without proper verification, leading to an access restriction bypass.
How does CVE-2020-9492 impact data confidentiality and integrity?
CVE-2020-9492 can compromise data confidentiality and integrity as well as system availability.
Which software versions are affected by CVE-2020-9492?
The affected software versions include Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0.
What is the severity level of CVE-2020-9492?
CVE-2020-9492 has a severity level of 8.8 (high).
How can I fix CVE-2020-9492?
To fix CVE-2020-9492, update your Apache Hadoop installation to version 3.2.2, 3.1.4, or 2.10.1.
- collector/redhat-cve
- collector/nvd-index
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-9492
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/tags
- agent/description
- agent/event
- agent/trending
- vendor/apache
- canonical/apache hadoop
- version/apache hadoop/2.0.0
- version/apache hadoop/2.10.0
- version/apache hadoop/3.0.0
- version/apache hadoop/3.1.3
- version/apache hadoop/3.2.0
- version/apache hadoop/3.2.1
- canonical/apache solr
- version/apache solr/8.6.0
- version/apache solr/8.6.2
- vendor/oracle
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0
- package-manager/redhat