CVE-2012-4449

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q%40mail.gmail.com%3E
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:hadoop::::::::
	cpe:2.3:a:apache:hadoop:1.0.0:::::::*
	cpe:2.3:a:apache:hadoop:1.0.1:::::::*
	cpe:2.3:a:apache:hadoop:1.0.2:::::::*
	cpe:2.3:a:apache:hadoop:1.0.3:::::::*
	cpe:2.3:a:apache:hadoop:2.0.0:alpha::::::
	cpe:2.3:a:apache:hadoop:2.0.1:alpha::::::
	cpe:2.3:a:apache:hadoop:2.0.2:alpha::::::

History

07 Nov 2023, 02:11

Type	Values Removed	Values Added
References	{'url': 'http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q@mail.gmail.com%3E', 'name': '[hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with Security fix', 'tags': ['Issue Tracking', 'Vendor Advisory'], 'refsource': 'MLIST'}	() http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q%40mail.gmail.com%3E -

Information

Published : 2017-10-30 19:29

Updated : 2023-12-10 12:15

NVD link : CVE-2012-4449

Mitre link : CVE-2012-4449

CVE.ORG link : CVE-2012-4449

JSON object : View

Products Affected

apache

hadoop

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

{"id": "CVE-2012-4449", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2017-10-30T19:29:00.200", "references": [{"url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q%40mail.gmail.com%3E", "source": "secalert@redhat.com"}, {"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack."}, {"lang": "es", "value": "Apache Hadoop en versiones anteriores a la 0.23.4, las versiones 1.x anteriores a la 1.0.4 y las versiones 2.x anteriores a la 2.0.2 genera contrase\u00f1as token empleando un secreto de 20 bits cuando las caracter\u00edsticas de seguridad de Kerberos est\u00e1n habilitadas. Esto permite que atacantes dependientes del contexto descubran las claves secretas mediante un ataque de fuerza bruta."}], "lastModified": "2023-11-07T02:11:52.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9FE6038C-E381-4DAC-8ACC-AF872B0AC539", "versionEndIncluding": "0.23.3"}, {"criteria": "cpe:2.3:a:apache:hadoop:1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCC82E5C-775B-4BB0-AE38-6CF546CD6A4F"}, {"criteria": "cpe:2.3:a:apache:hadoop:1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA4A72DC-B207-4013-ADED-BDEEE3940486"}, {"criteria": "cpe:2.3:a:apache:hadoop:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D85AFEF0-A4A8-435A-8774-C838A511B1A6"}, {"criteria": "cpe:2.3:a:apache:hadoop:1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "070C91FA-BB2B-4005-83CC-9463A875AE9F"}, {"criteria": "cpe:2.3:a:apache:hadoop:2.0.0:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "227941BD-D769-45AD-9D61-7FCA3C2264FA"}, {"criteria": "cpe:2.3:a:apache:hadoop:2.0.1:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18BF490A-0865-47C0-A143-0991B40BD259"}, {"criteria": "cpe:2.3:a:apache:hadoop:2.0.2:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E091799F-203D-4C52-839E-E798770C0287"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}