Client BlockTokens not checked in Apache Hadoop
High severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
= 2.0.0-alpha
Patched versions
2.0.1-alpha
Description
Published by the National Vulnerability Database
Jul 12, 2012
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Jul 13, 2022
Last updated
Jan 27, 2023
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
References