===================================================================== CERT-Renater Note d'Information No. 2021/VULN617 _____________________________________________________________________ DATE : 22/11/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Ozone versions prior to 1.2.0. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c5029c1ac-4685-8492-e3cb-ab48c5c370cf@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c110cd117-75ed-364b-cd38-3effd20f2183@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c3c30a7f2-13a4-345e-6c8a-c23a2b937041@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c394a9a73-44dd-b5db-84d8-607c3226eb00@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c97d65498-7f8c-366f-1bea-5a74b6378f0d@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c93f88246-4320-7423-0dac-ec7a07f47455@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3c0fd74baa-88a0-39a2-8f3a-b982acb25d5a@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3ce0bc6598-9669-b897-fc28-de8a896e36aa@apache.org%3e _____________________________________________________________________ CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved Date Thu, 18 Nov 2021 23:03:45 GMT Description: Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked. This issue is being tracked as HDDS-5315 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue. _____________________________________________________________________ CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints Date Thu, 18 Nov 2021 23:04:17 GMT Description: Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. This issue is being tracked as HDDS-4704,HDDS-4730,HDDS-4496,HDDS-4788 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue. _____________________________________________________________________ CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands Date Thu, 18 Nov 2021 23:04:45 GMT Description: Certain admin related SCM commands can be executed by any authenticated users, not just by admins. This issue is being tracked as HDDS-4530 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Wei-Chiu Chuang for reporting this issue. _____________________________________________________________________ CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization Date Thu, 18 Nov 2021 23:06:09 GMT Description: Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client. This issue is being tracked as HDDS-4729,HDDS-5236 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue. _____________________________________________________________________ CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization Date Thu, 18 Nov 2021 23:06:29 GMT Description: Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL. This issue is being tracked as HDDS-5061 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue. _____________________________________________________________________ CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced Date Thu, 18 Nov 2021 23:07:01 GMT Description: Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block. This issue is being tracked as HDDS-4558,HDDS-4644 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue. _____________________________________________________________________ CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated Date Thu, 18 Nov 2021 23:07:24 GMT Description: Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user. This issue is being tracked as HDDS-4763 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for reporting this issue. _____________________________________________________________________ CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints Date Thu, 18 Nov 2021 23:07:46 GMT Severity: moderate Description: Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints. This issue is being tracked as HDDS-5691 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Ethan Rose for reporting this issue. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================