CVE-2012-1574 — Apache Hadoop allows impersonation of arbitrary cluster user accounts

Description

The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.

How to fix CVE-2012-1574

To remediate CVE-2012-1574, upgrade the affected package to a fixed version below.

Maven/org.apache.hadoop:hadoop-main—upgrade to 0.23.2 or later

Is CVE-2012-1574 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.23, < 0.23.2

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-1574
PATCHgithub.com/apache/hadoop
WEBseclists.org/fulldisclosure/2012/Apr/70
WEBweb.archive.org/web/20120720041621/https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin#ClouderaSecurityBulletin-MapReducewithSecurity