Описание
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
Меры по смягчению последствий
Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If it is not possible and affected version of Apache Hadoop is used, SPNEGO through HTTP should be enabled.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | hadoop-core | Not affected | ||
| Red Hat JBoss Data Grid 7 | hadoop-core | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | hadoop-core | Out of support scope | ||
| Red Hat JBoss Fuse 6 | hadoop-core | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hadoop | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1883549hadoop: Potential information disclosure in Hadoop Web interfaces
6.5 Medium
CVSS3
Связанные уязвимости
CVSS3: 7.5
nvd
больше 5 лет назад
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
CVSS3: 7.5
debian
больше 5 лет назад
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 ...
6.5 Medium
CVSS3