Skip to main content

Hadoop CVE-2012-4449

CRITICAL
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2017-10-30 secalert@redhat.com
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 30, 2017 - 19:29 cve.org
CRITICAL 9.8

DescriptionCVE.org

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

AnalysisAI

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-327. Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. Affected products include: Apache Hadoop. Version information: before 0.23.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Hadoop

View all
CVE-2022-26612 CRITICAL POC
9.8 Apr 07

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and ot

CVE-2018-8009 HIGH POC
8.8 Nov 13

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is ex

CVE-2016-3086 CRITICAL
9.8 Sep 05

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential sto

CVE-2022-25168 CRITICAL
9.8 Aug 04

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. Rat

CVE-2019-17195 CRITICAL
9.8 Oct 15

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in

CVE-2016-5393 HIGH
8.8 Nov 29

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode ca

CVE-2016-6811 HIGH
8.8 Apr 11

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user

CVE-2018-11766 HIGH
8.8 Nov 27

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. Rated high severity (CVSS 8.8), this

CVE-2015-7430 HIGH
8.4 Jan 02

The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System

CVE-2017-3166 HIGH
7.8 Nov 13

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access

CVE-2012-3376 HIGH
7.5 Jul 12

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNo

CVE-2017-3162 HIGH
7.3 Apr 26

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. Rated high severity (CVSS 7.3), this

Share

CVE-2012-4449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy