CVE-2020-9492

Public on

Last Modified: UTC

ImportantImportant ImpactWhat does this mean?
DescriptionStatementAdditional informationAffected PackagesCVSS Score DetailsWeakness (CWE)FAQ

Description

A flaw was found in Apache hadoop. The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

A flaw was found in Apache hadoop. The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Statement

While OpenShift Container Platform (OCP) does package a vulnerable version of hadoop-hdfs-client in the hadoop and hive containers, the HDFS storage back-end is not enabled by default and is largely undocumented/unsupported. However, as it still can be enabled by using the configuration option `unsupportedFeatures.enabledHDFS`, the vulnerability has been rated Moderate for OCP. In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of hadoop package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated

While OpenShift Container Platform (OCP) does package a vulnerable version of hadoop-hdfs-client in the hadoop and hive containers, the HDFS storage back-end is not enabled by default and is largely undocumented/unsupported. However, as it still can be enabled by using the configuration option unsupportedFeatures.enabledHDFS, the vulnerability has been rated Moderate for OCP.

In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of hadoop package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.

[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated

Additional information

  • Bugzilla 1925237: hadoop: WebHDFS client might send SPNEGO authorization header
  • CWE-863: Incorrect Authorization
  • FAQ: Frequently asked questions about CVE-2020-9492

Common Vulnerability Scoring System (CVSS) Score Details

Important note

CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).

CVSS v3 Score Breakdown
Red HatNVD

CVSS v3 Base Score

8.8

8.8

Attack Vector

Network

Network

Attack Complexity

Low

Low

Privileges Required

Low

Low

User Interaction

None

None

Scope

Unchanged

Unchanged

Confidentiality Impact

High

High

Integrity Impact

High

High

Availability Impact

High

High

CVSS v3 Vector

Red Hat: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NVD: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Understanding the Weakness (CWE)

CWE-863

Confidentiality

Technical Impact: Read Application Data; Read Files or Directories

An attacker could bypass intended access restrictions to read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.

Integrity

Technical Impact: Modify Application Data; Modify Files or Directories

An attacker could bypass intended access restrictions to modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.

Access Control

Technical Impact: Gain Privileges or Assume Identity; Bypass Protection Mechanism

An attacker could bypass intended access restrictions to gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.

Confidentiality,Integrity,Availability

Technical Impact: Execute Unauthorized Code or Commands

An attacker could use elevated privileges to execute unauthorized commands or code.

Availability

Technical Impact: DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Resource Consumption (Other)

An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.

Frequently Asked Questions

Why is Red Hat's CVSS v3 score or Impact different from other vendors?

My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?

What can I do if my product is listed as "Will not fix"?

What can I do if my product is listed as "Fix deferred"?

What is a mitigation?

I have a Red Hat product but it is not in the above list, is it affected?

Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?

Want to get errata notifications? Sign up here.