Vulnerabilities > CVE-2012-1574 - Cryptographic Issues vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
apache
cloudera
CWE-310

Summary

The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Seebug

bulletinFamilyexploit
descriptionBugtraq ID: 52939 CVE ID:CVE-2012-1574 Apache Hadoop是一款设计用来在由通用计算设备组成的大型集群上执行分布式应用的框架 Apache Hadoop存在一个未明安全漏洞,允许恶意用户扮演其他用户。要成功利用漏洞需要目标用户使用了Kerberos / MapReduce安全特性 0 Cloudera Cloudera Manager 3.7.4 Cloudera Cloudera Manager 3.7 Apache Software Foundation Hadoop 1.0.1 Apache Software Foundation Hadoop 1.0 Apache Software Foundation Hadoop 0.23.1 Apache Software Foundation Hadoop 0.23 Apache Software Foundation Hadoop 0.20.205 Apache Software Foundation Hadoop 0.20.204 Apache Software Foundation Hadoop 0.20.203 厂商解决方案 Apache Software Foundation Hadoop 1.0.2已经修复此漏洞,建议用户下载使用: http://www.cloudera.com/
idSSV:60034
last seen2017-11-19
modified2012-04-10
published2012-04-10
reporterRoot
titleApache Hadoop 未明用户扮演漏洞(CVE-2012-1574)