====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN542
_____________________________________________________________________

DATE                : 28/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Hadoop versions prior to
                                     2.10.0, 3.0.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/hadoop-general/202009.mbox/%3cCAP+3qq6HuQydgKF0VreiO0M5PqhqP1smtr6wQH=Gxw61-_pYeA@mail.gmail.com%3e
_____________________________________________________________________

CVE-2018-11765: Potential information disclosure in Hadoop Web interfaces

Severity: Important

Vendor: The Apache Software Foundation

Versions affected:
3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5

Description:
When Kerberos authentication is enabled and SPNEGO through HTTP is not
enabled, any users can access some servlets without authentication.

Mitigation:
Users should upgrade to Apache Hadoop 2.10.0, 3.0.1 or upper. If you
are using the affected version of Apache Hadoop, you need to enable
SPNEGO through HTTP.

Credit:
This issue was discovered by Owen O'Malley and reported by Larry McCay.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================