Apache HadoopDZÔÚȨÏÞÌáÉýÎó²î£¨CVE-2020-9492£©

Ðû²¼Ê±¼ä 2021-01-27

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2020-9492

ʱ  ¼ä

2021-01-27

Àà  ÐÍ

ȨÏÞÌáÉý

µÈ  ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


 

0x01 Îó²îÏêÇé

image.png

 

Apache HadoopÊÇÒ»Ì×ÓÃÓÚÓÉͨÓÃÓ²¼þ¹¹½¨µÄ´óÐͼ¯ÈºÉÏÔËÐÐÓ¦ÓóÌÐòµÄ¿ò¼Ü£¬ £¬£¬£¬ËüʵÏÖÁËMap/Reduce±à³Ì·¶ÐÍ£¬ £¬£¬£¬ÅÌËãʹÃü»á±»¶à´ÎÖ§½â³ÉС¿é²¢ÔËÐÐÔÚ²î±ðµÄ½ÚµãÉÏ¡£¡£¡£³ý´ËÖ®Í⣬ £¬£¬£¬Ëü»¹ÌṩÁËÒ»¿îÂþÑÜʽÎļþϵͳ£¨HDFS£©£¬ £¬£¬£¬Êý¾Ý±»´æ´¢ÔÚÅÌËã½ÚµãÉÏÒÔÌṩ¸ßЧµÄ¿çÊý¾ÝÖÐÐľۺϴø¿í¡£¡£¡£

2021Äê01ÔÂ26ÈÕ£¬ £¬£¬£¬ApacheÐû²¼Ç徲ͨ¸æ£¬ £¬£¬£¬¹ûÕæÁËApache HadoopÖÐÒ»¸öDZÔÚµÄȨÏÞÌáÉýÎó²î£¨CVE-2020-9492£©¡£¡£¡£

WebHDFS¿Í»§¶Ë¿ÉÄÜ»áÔÚûÓÐÊʵ±ÑéÖ¤µÄÇéÐÎϽ«SPNEGOÊÚȨ±êÍ··¢Ë͵½Ô¶³ÌURL£¬ £¬£¬£¬¹¥»÷Õß¿ÉÒÔͨ¹ýʹÓôËÎó²î½«Ð§ÀÍÆ÷ƾ֤·¢Ë͵½webhdfs·¾¶À´»ñȡЧÀÍÖ÷Ìå¡£¡£¡£

 

Ó°Ïì¹æÄ£

Apache Hadoop 3.2.0-3.2.1

Apache Hadoop 3.0.0-alpha1-3.1.3

Apache Hadoop 2.0.0-alpha-2.10.0


0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ£¬ £¬£¬£¬¸ÃÎó²îµÄ²¹¶¡ÔÝδÐû²¼£¬ £¬£¬£¬½¨ÒéʵʱӦÓÃÒÔÏ»º½â²½·¥¡£¡£¡£

»º½â²½·¥

ÉèÖòî±ðµÄhttpÊðÃûÉñÃØ£¬ £¬£¬£¬²¢Ê¹ÓÃרÓÃÖ÷»ú¾ÙÐÐÿ¸öȨÏÞÄ£ÄâЧÀÍ£¨ÈçHiveServer2£©¡£¡£¡£

Éý¼¶µ½3.3.0¡¢3.2.2¡¢3.1.4¡¢2.10.1»ò¸üеÄTLS¼ÓÃÜ°æ±¾£¬ £¬£¬£¬ÆôÓò¢½«dfs.http.policyÉèÖÃΪHTTPS_ONLY¡£¡£¡£

 

0x03 ²Î¿¼Á´½Ó

http://mail-archives.apache.org/mod_mbox/www-announce/202101.mbox/%3CCAP+3qq6eDjjZG-G03RFRj9rrG4r1u=891UUEU2S8fbOCKTe4QA@mail.gmail.com%3E

https://hadoop2help.blogspot.com/2021/01/cve-2020-9492-apache-hadoop-potential.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492

 

0x04 ʱ¼äÏß

2021-01-26  ApacheÐû²¼Ç徲ͨ¸æ

2021-01-27  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png