Bug 1001326 - (CVE-2013-2192) CVE-2013-2192 hadoop: man-in-the-middle vulnerability
CVE-2013-2192 hadoop: man-in-the-middle vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1001903 1001904 1001905
Blocks: 1001366 1026176
  Show dependency treegraph
Reported: 2013-08-26 18:02 EDT by Vincent Danen
Modified: 2014-05-04 18:44 EDT (History)
17 users (show)

See Also:
Fixed In Version: Hadoop 0.23.9, Hadoop 1.2.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-05-04 18:44:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-26 18:02:32 EDT
It was reported [1] that:

"The Apache Hadoop RPC protocol is intended to provide bidirectional
authentication between clients and servers. However, a malicious server or
network attacker can unilaterally disable these authentication checks. This
allows for potential reduction in the configured quality of protection of
the RPC traffic, and privilege escalation if authentication credentials are
passed over RPC."

This flaw only affects users who have enabled Hadoop's kerberos security features.  This is corrected in upstream versions 0.23.9, 1.2.1, and 2.0.6-alpha.

[1] http://seclists.org/fulldisclosure/2013/Aug/251
Comment 1 David Jorm 2013-08-28 00:49:50 EDT
Upstream patch commit:

Comment 7 errata-xmlrpc 2014-01-21 12:44:54 EST
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0037 https://rhn.redhat.com/errata/RHSA-2014-0037.html
Comment 8 errata-xmlrpc 2014-04-14 09:48:54 EDT
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment 9 Chess Hazlett 2014-04-14 22:33:18 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html

Note You need to log in before you can comment on or make changes to this bug.