Vulnerability Description
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hadoop | <= 0.23.3 |
Related Weaknesses (CWE)
References
- http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FY
- https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topicIssue TrackingThird Party Advisory
- http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FY
- https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topicIssue TrackingThird Party Advisory
FAQ
What is CVE-2012-4449?
CVE-2012-4449 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-depend...
How severe is CVE-2012-4449?
CVE-2012-4449 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2012-4449?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hadoop.