Threat Finder

Threat ID
2780
Threat Date
06/20/2013
Threat Name
Client BlockTokens not checked
CVE Reference
CVE-2012-3376
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
Hadoop
Category
Patchable Vulnerabilities
Versions
Hadoop version 2.0.0-alpha
Summary
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
Overview
When Hadoop's security features are enabled, clients authenticate to DataNodes using BlockTokens issued by the NameNode to the client. The DataNodes are able to verify the validity of a BlockToken, and will reject BlockTokens that were not issued by the NameNode. The DataNode determines whether or not it should check for BlockTokens when it registers with the NameNode.
Due to a bug in the DataNode/NameNode registration process, a DataNode which registers more than once for the same block pool will conclude that it thereafter no longer needs to check for BlockTokens sent by clients. That is, the client will continue to send BlockTokens as part of its communication with DataNodes, but the DataNodes will not check the validity of the tokens. Malicious clients may then gain write access to data for which they have read-only permission, or gain read access to any data blocks whose IDs they can determine.
References
http://archives.neohapsis.com/archives/bugtraq/2012-07/0049.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3376
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by