CVE-2012-4449
CRITICALApache Hadoop < 0.23.4, 1.x < 1.0.4, 2.x < 2.0.2 - Use of a Broken or Risky Cryptographic Algorithm
Title source: llmDescription
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0
Various Sources mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q%40mail.gmail.com%3E
Scores
CVSS v3
9.8
EPSS
0.0120
EPSS Percentile
64.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-327
Status
published
Products (9)
apache/hadoop
1.0.0
apache/hadoop
1.0.1
apache/hadoop
1.0.2
apache/hadoop
1.0.3
apache/hadoop
2.0.0 alpha
apache/hadoop
2.0.1 alpha
apache/hadoop
2.0.2 alpha
apache/hadoop
< 0.23.3
org.apache.hadoop/hadoop-client
0 - 0.23.4Maven
Published
Oct 30, 2017
Tracked Since
Feb 18, 2026