exploit the possibilities

Apache Hadoop HDFS Information Disclosure

Apache Hadoop HDFS Information Disclosure
Posted Jul 10, 2012
Authored by Aaron T. Myers

Apache Hadoop version 2.0.0-alpha suffers from an HDFS information disclosure vulnerability. Malicious clients may gain write access to data for which they have read-only permission, or gain read access to any data blocks whose IDs they can determine.

tags | advisory, info disclosure
advisories | CVE-2012-3376
MD5 | fcf04d3a187fc9f834a69d450e6b7149

Apache Hadoop HDFS Information Disclosure

Change Mirror Download
Hash: SHA1


Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note the
"Users affected", "Versions affected", and "Mitigation" sections.

The project team will be announcing a release vote shortly for Apache Hadoop
2.0.1-alpha, which will be comprised of the contents of Apache Hadoop
2.0.0-alpha, this security patch, and a few patches for YARN.

Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-3376: Apache Hadoop HDFS information disclosure vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Hadoop 2.0.0-alpha

Users affected:
Users who have enabled Hadoop's Kerberos/HDFS security features.

Malicious clients may gain write access to data for which they have read-only
permission, or gain read access to any data blocks whose IDs they can

When Hadoop's security features are enabled, clients authenticate to DataNodes
using BlockTokens issued by the NameNode to the client. The DataNodes are able
to verify the validity of a BlockToken, and will reject BlockTokens that were
not issued by the NameNode. The DataNode determines whether or not it should
check for BlockTokens when it registers with the NameNode.

Due to a bug in the DataNode/NameNode registration process, a DataNode which
registers more than once for the same block pool will conclude that it
thereafter no longer needs to check for BlockTokens sent by clients. That is,
the client will continue to send BlockTokens as part of its communication with
DataNodes, but the DataNodes will not check the validity of the tokens. A
DataNode will register more than once for the same block pool whenever the
NameNode restarts, or when HA is enabled.

Users of 2.0.0-alpha should immediately apply the patch provided below to their
systems. Users should upgrade to 2.0.1-alpha as soon as it becomes available.

Credit: This issue was discovered by Aaron T. Myers of Cloudera.

A signed patch against Apache Hadoop 2.0.0-alpha for this issue can be found
here: https://people.apache.org/~atm/cve-2012-3376/

Version: GnuPG v1.4.11 (GNU/Linux)



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By