PT-2012-1195 · Apache · Apache Hadoop

Daryn Sharp

Published

2012-10-12

Updated

2022-05-17

CVE-2012-4449

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Hadoop versions prior to 0.23.4 Apache Hadoop 1.x versions prior to 1.0.4 Apache Hadoop 2.x versions prior to 2.0.2

Description The issue is related to errors in the implementation of cryptographic algorithms for generating temporary identifiers when Kerberos security features are enabled. This makes it easier for attackers to crack secret keys via a brute-force attack. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For Apache Hadoop versions prior to 0.23.4, update to version 0.23.4 or later. For Apache Hadoop 1.x versions prior to 1.0.4, update to version 1.0.4 or later. For Apache Hadoop 2.x versions prior to 2.0.2, update to version 2.0.2 or later.

Fix

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-327

Related Identifiers

BDU:2018-00143

CVE-2012-4449

GHSA-Q46V-CJ5V-HVG6

Affected Products

Apache Hadoop

PT-2012-1195 · Apache · Apache Hadoop

CVE-2012-4449

Weakness Enumeration

Related Identifiers

Affected Products

References · 7