Aaron T. Myers

**Name of the Vulnerable Software and Affected Versions** Apache HBase versions 0.92.x through 0.92.2 Apache HBase versions 0.94.x through 0.94.8 **Description** The issue allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors when the Kerberos features are enabled. **Recommendations** For Apache HBase versions 0.92.x through 0.92.2, update to version 0.92.3 or later. For Apache HBase versions 0.94.x through 0.94.8, update to version 0.94.9 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Hadoop versions 0.20.203.0 through 0.20.205.0 Apache Hadoop versions 0.23.x before 0.23.2 Apache Hadoop versions 1.0.x before 1.0.2 Cloudera CDH versions CDH3u0 through CDH3u2 Cloudera hadoop-0.20-sbin versions before 0.20.2+923.197 **Description** The issue allows remote authenticated users to impersonate arbitrary cluster user accounts. This is related to the Kerberos/MapReduce security functionality in Apache Hadoop. **Recommendations** For Apache Hadoop versions 0.20.203.0 through 0.20.205.0, update to a version outside of this range to resolve the issue. For Apache Hadoop versions 0.23.x before 0.23.2, update to version 0.23.2 or later. For Apache Hadoop versions 1.0.x before 1.0.2, update to version 1.0.2 or later. For Cloudera CDH versions CDH3u0 through CDH3u2, update to a version outside of this range. For Cloudera hadoop-0.20-sbin versions before 0.20.2+923.197, update to version 0.20.2+923.197 or later.