Date: Mon, 15 Feb 2016 13:49:36 -0800 From: Arun Suresh <asuresh@...che.org> To: security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, general@...oop.apache.org Subject: CVE-2015-1776: Apache Hadoop MapReduce, disclosure of encrypted data Hello, Please see below for the official announcement of a serious security vulnerability which has been discovered and subsequently fixed in Apache Hadoop releases. Best, Arun Suresh ---------- CVE-2015-1776: Encryption of intermediate data and spills to the local file system in Hadoop MapReduce is vulnerable to unauthorized disclosure of data. Severity: Severe Vendor: The Apache Software Foundation Versions Affected: All versions of Hadoop 2.6.x Users affected: Users who have enabled Hadoop's Intermediate data encryption feature Impact: RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster. Description: The encryption key/secret used to encrypt the intermediate data generated by an Apache Hadoop MapReduce job is stored as a token in the job’s credentials and are subsequently serialized to disk ( without any additional encryption/protection ) into the machine's local dirs. A malicious user who has access to this credentials file can load the tokens from the file, read the secret and then decrypt the intermediate data which is also stored in machine local dirs. Mitigation: Users of Hadoop 2.6.x versions prior should upgrade to a 2.7.x release (where the issue has been fixed) or disable the feature when running MapReduce jobs. Credit: This issue was discovered by Hitesh Shah of Hortonworks. ----------
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.