Daryn Sharp

Name of the Vulnerable Software and Affected Versions: Apache Hadoop versions 3.0.0-alpha4 through 3.0.0 Description: The web endpoint authentication check in Apache Hadoop is broken, allowing authenticated users to impersonate any user, even if no proxy user is configured. Recommendations: For Apache Hadoop versions 3.0.0-alpha4 through 3.0.0, consider restricting access to the web endpoint until a fix is available. As a temporary workaround, review and limit user permissions to minimize the risk of impersonation.

**Name of the Vulnerable Software and Affected Versions** Apache Hadoop versions prior to 0.23.4 Apache Hadoop 1.x versions prior to 1.0.4 Apache Hadoop 2.x versions prior to 2.0.2 **Description** The issue is related to errors in the implementation of cryptographic algorithms for generating temporary identifiers when Kerberos security features are enabled. This makes it easier for attackers to crack secret keys via a brute-force attack. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Apache Hadoop versions prior to 0.23.4, update to version 0.23.4 or later. For Apache Hadoop 1.x versions prior to 1.0.4, update to version 1.0.4 or later. For Apache Hadoop 2.x versions prior to 2.0.2, update to version 2.0.2 or later.