CVE-2021-39231

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

GHSA-3W5H-X4RH-HC28 Exposure of sensitive information in Apache Ozone

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

Exposure of sensitive information in Apache Ozone

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

org.apache.hadoop:hadoop-ozone-dist (>=0.4.0-alpha <=0.4.1-alpha), org.apache.hadoop:hadoop-ozone-insight (>=0.5.0-beta <=1.1.0) +3 more potentially affected by CVE-2021-39236 via org.apache.hadoop:hadoop-ozone-ozone-manager (>=0.4.0-alpha <=1.1.0)

org.apache.hadoop:hadoop-ozone-ozone-manager MAVEN version =0.4.0-alpha, =0.4.0-alpha, =0.5.0-beta, =0.4.0-alpha, =0.4.1-alpha, =0.4.0-alpha, =1.1.0 Source cves: CVE-2021-39236 Source advisory: OSV:GHSA-5993-WWPG-M92C...

Privilege Escalation

hadoop-ozone-ozone-manager is vulnerable to privilege escalation. The library does not check the access mode parameter of the block token, allowing an attacker with a read block token to do write operations...

Information Disclosure

hadoop-hdds-container-service is vulnerable to information disclosure. an attacker can modify ratis replication configuration through the server-to-server RPC endpoint by downloading the raw data from the data node and ozone manager...

CVE-2021-39231

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

CVE-2021-39231

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

CVE-2021-39231 Missing authentication/authorization on internal RPC endpoints

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...

Apache Ozone 安全漏洞

Apache Ozone is an application. A scalable, redundant and distributed object store for Hadoop and cloud-native environments. Apache Ozone version 1.2.0 has a security vulnerability that stems from various internal server-to-server RPC endpoints that can be used to connect, and an attacker can...

PT-2021-22481 · Apache · Apache Ozone

Name of the Vulnerable Software and Affected Versions: Apache Ozone versions prior to 1.2.0 Description: The issue allows an attacker to access internal server-to-server RPC endpoints, enabling them to download raw data from Datanode and Ozone manager, and modify Ratis replication configuration...