exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Hadoop HDFS Information Disclosure

Apache Hadoop HDFS Information Disclosure
Posted Jul 10, 2012
Authored by Aaron T. Myers

Apache Hadoop version 2.0.0-alpha suffers from an HDFS information disclosure vulnerability. Malicious clients may gain write access to data for which they have read-only permission, or gain read access to any data blocks whose IDs they can determine.

tags | advisory, info disclosure
advisories | CVE-2012-3376
SHA-256 | 8ea4cabe21ecd11c0e368081bd0fd9e1d9007bdbf2e8fcaaf287c6748a7721da

Apache Hadoop HDFS Information Disclosure

Change Mirror Download
Hash: SHA1


Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note the
"Users affected", "Versions affected", and "Mitigation" sections.

The project team will be announcing a release vote shortly for Apache Hadoop
2.0.1-alpha, which will be comprised of the contents of Apache Hadoop
2.0.0-alpha, this security patch, and a few patches for YARN.

Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-3376: Apache Hadoop HDFS information disclosure vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Hadoop 2.0.0-alpha

Users affected:
Users who have enabled Hadoop's Kerberos/HDFS security features.

Malicious clients may gain write access to data for which they have read-only
permission, or gain read access to any data blocks whose IDs they can

When Hadoop's security features are enabled, clients authenticate to DataNodes
using BlockTokens issued by the NameNode to the client. The DataNodes are able
to verify the validity of a BlockToken, and will reject BlockTokens that were
not issued by the NameNode. The DataNode determines whether or not it should
check for BlockTokens when it registers with the NameNode.

Due to a bug in the DataNode/NameNode registration process, a DataNode which
registers more than once for the same block pool will conclude that it
thereafter no longer needs to check for BlockTokens sent by clients. That is,
the client will continue to send BlockTokens as part of its communication with
DataNodes, but the DataNodes will not check the validity of the tokens. A
DataNode will register more than once for the same block pool whenever the
NameNode restarts, or when HA is enabled.

Users of 2.0.0-alpha should immediately apply the patch provided below to their
systems. Users should upgrade to 2.0.1-alpha as soon as it becomes available.

Credit: This issue was discovered by Aaron T. Myers of Cloudera.

A signed patch against Apache Hadoop 2.0.0-alpha for this issue can be found
here: https://people.apache.org/~atm/cve-2012-3376/

Version: GnuPG v1.4.11 (GNU/Linux)

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By