CVE-2024-45106

Name of the Vulnerable Software and Affected Versions Apache Ozone version 1.4.0

Description The issue is related to improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone. This allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user, but only if specific conditions are met: ozone.s3g.secret.http.enabled is set to true and the user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators.

Recommendations Upgrade to Apache Ozone version 1.4.1, which disables the affected endpoint. As a temporary workaround, consider setting ozone.s3g.secret.http.enabled to false to prevent exploitation. Restrict access to the S3 Gateway to minimize the risk of unauthorized S3 secret regeneration.