{ "threat_severity" : "Important", "public_date" : "2021-01-26T00:00:00Z", "bugzilla" : { "description" : "hadoop: WebHDFS client might send SPNEGO authorization header", "id" : "1925237", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1925237" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-863", "details" : [ "In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.", "A flaw was found in Apache hadoop. The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ], "statement" : "While OpenShift Container Platform (OCP) does package a vulnerable version of hadoop-hdfs-client in the hadoop and hive containers, the HDFS storage back-end is not enabled by default and is largely undocumented/unsupported. However, as it still can be enabled by using the configuration option `unsupportedFeatures.enabledHDFS`, the vulnerability has been rated Moderate for OCP.\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of hadoop package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "affected_release" : [ { "product_name" : "RHAF Camel-K 1.8", "release_date" : "2022-09-09T00:00:00Z", "advisory" : "RHSA-2022:6407", "cpe" : "cpe:/a:redhat:integration:1", "package" : "hadoop-hdfs-client", "impact" : "low" }, { "product_name" : "RHINT Camel-Q 2.7", "release_date" : "2022-07-19T00:00:00Z", "advisory" : "RHSA-2022:5606", "cpe" : "cpe:/a:redhat:camel_quarkus:2.7" } ], "package_state" : [ { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "hadoop-hdfs-client", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "hadoop-hdfs-client", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "hadoop-hdfs-client", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "hadoop-hdfs-client", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-9492\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-9492\nhttps://hadoop.apache.org/cve_list.html\nhttps://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-1065272" ], "name" : "CVE-2020-9492", "csaw" : false }