Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Won't Fix
-
5.15.4
-
None
-
None
Description
ActiveMQ 5.15.4 hadoop-core-1.0.0.jar which has two high severity CVEs against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.
CVE-2012-4449 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which
makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
CONFIRM - https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0
MLIST - [hadoop-general] 20121012 [ANNOUNCE] Hadoop-1.0.4 release, with Security fix
Vulnerable Software & Versions: (show all)
cpe:/a:apache:hadoop:1.0.0
CVE-2017-3162 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-20 Improper Input Validation
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache
Hadoop before 2.7.0.
BID - 98017
MLIST - [hadoop-common-dev] 20170425 CVE-2017-3162: Apache Hadoop DataNode web UI vulnerability
Vulnerable Software & Versions:
cpe:/a:apache:hadoop:2.6.5 and all previous versions