- Threat ID
- Threat Date
- Threat Name
- Client BlockTokens not checked
- CVE Reference
- CCE Reference
- Database Type
- Patchable Vulnerabilities
- Hadoop version 2.0.0-alpha
- DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
- When Hadoop's security features are enabled, clients authenticate to DataNodes using BlockTokens issued by the NameNode to the client. The DataNodes are able to verify the validity of a BlockToken, and will reject BlockTokens that were not issued by the NameNode. The DataNode determines whether or not it should check for BlockTokens when it registers with the NameNode.
Due to a bug in the DataNode/NameNode registration process, a DataNode which registers more than once for the same block pool will conclude that it thereafter no longer needs to check for BlockTokens sent by clients. That is, the client will continue to send BlockTokens as part of its communication with DataNodes, but the DataNodes will not check the validity of the tokens. Malicious clients may then gain write access to data for which they have read-only permission, or gain read access to any data blocks whose IDs they can determine.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.