Ethan Rose

**Name of the Vulnerable Software and Affected Versions** Apache Ozone version 1.4.0 **Description** The issue is related to improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone. This allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user, but only if specific conditions are met: `ozone.s3g.secret.http.enabled` is set to true and the user configured in `ozone.s3g.kerberos.principal` is also configured in `ozone.s3.administrators` or `ozone.administrators`. **Recommendations** Upgrade to Apache Ozone version 1.4.1, which disables the affected endpoint. As a temporary workaround, consider setting `ozone.s3g.secret.http.enabled` to false to prevent exploitation. Restrict access to the S3 Gateway to minimize the risk of unauthorized S3 secret regeneration.

**Name of the Vulnerable Software and Affected Versions** Apache Ozone versions prior to 1.2.0 **Description** The issue allows any unauthenticated user to access metadata from Recon HTTP endpoints, which provide access to OM, SCM, and Datanode metadata, due to a bug. **Recommendations** For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Recon HTTP endpoints until a patch is available.