Date: Tue, 26 Jan 2021 09:34:07 +0900 From: Akira Ajisaka <aajisaka@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2020-9492] Apache Hadoop Potential privilege escalation CVE-2020-9492. Apache Hadoop Potential privilege escalation Severity: Important Vendor: The Apache Software Foundation Versions Affected: 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0 Description: WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. A crafty user can trigger services to send server credentials to a webhdfs path for capturing the service principal. Mitigation: Users of the affected versions should apply either of the following mitigations: - Set different http signature secrets and use dedicated hosts for each privileged impersonation service (such as HiveServer2). - Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption enabled and configure dfs.http.policy to HTTPS_ONLY. Credit: This issue was discovered by Kevin Risden.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.