Cryptographic issues in Hadoop - CVE-2012-3376
Published: July 12, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43888
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-3376
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Hadoop
Hadoop
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
How to mitigate CVE-2012-3376
Install update from vendor's website.