Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Jan 2021 09:34:07 +0900
From: Akira Ajisaka <>
Subject: [CVE-2020-9492] Apache Hadoop Potential privilege escalation

CVE-2020-9492. Apache Hadoop Potential privilege escalation

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0

WebHDFS client might send SPNEGO authorization header to remote URL
without proper verification. A crafty user can trigger services to
send server credentials to a webhdfs path for capturing the service

Users of the affected versions should apply either of the following mitigations:
- Set different http signature secrets and use dedicated hosts for
each privileged impersonation service (such as HiveServer2).
- Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption
enabled and configure dfs.http.policy to HTTPS_ONLY.

This issue was discovered by Kevin Risden.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.