Vulnerabilities > CVE-2012-3376 - Cryptographic Issues vulnerability in Apache Hadoop 2.0.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 54358 CVE ID: CVE-2012-3376 Hadoop是Apache软件基金会所研发的开放源码并行运算编程工具和分散式档案系统。 Apache Hadoop 2.0.0-alpha在实现上存在信息泄露漏洞,成功利用后可允许攻击者获取敏感信息。 0 Apache Group Hadoop 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://httpd.apache.org/ |
| id | SSV:60267 |
| last seen | 2017-11-19 |
| modified | 2012-07-10 |
| published | 2012-07-10 |
| reporter | Root |
| title | Apache Hadoop信息泄露漏洞 |