CVE-2021-39236 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2021-39236?

CVE-2021-39236 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with valid Ozone S3 credentials to impersonate any other user by creating specific OM requests. It affects Apache Ozone deployments where users have S3 credentials. Attackers could escalate privileges and perform unauthorized actions.

📋 TL;DR

This vulnerability allows authenticated users with valid Ozone S3 credentials to impersonate any other user by creating specific OM requests. It affects Apache Ozone deployments where users have S3 credentials. Attackers could escalate privileges and perform unauthorized actions.

💻 Affected Systems

Products:

Apache Ozone

Versions: All versions before 1.2.0

Operating Systems: All platforms running Apache Ozone

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where users have Ozone S3 credentials. Requires authenticated access.

📦 What is this software?

Ozone by Apache

View all CVEs affecting Ozone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could impersonate administrative users, gaining full control over the Ozone cluster to read, modify, or delete all data, and potentially compromise the entire system.

🟠

Likely Case

Malicious users with legitimate S3 credentials could impersonate other users to access sensitive data they shouldn't have permission to view, or perform unauthorized operations.

🟢

If Mitigated

With proper network segmentation and minimal privilege access controls, impact would be limited to the specific Ozone instance and its data, preventing lateral movement.

🌐 Internet-Facing: HIGH if Ozone S3 endpoints are exposed to the internet, as authenticated users could exploit this remotely.

🏢 Internal Only: MEDIUM for internal deployments, as attackers would need internal network access and valid credentials, but could still cause significant damage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid S3 credentials and knowledge of specific OM request crafting. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0 and later

Vendor Advisory: https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E

Restart Required: Yes

Instructions:

1. Backup your Ozone configuration and data. 2. Download Apache Ozone 1.2.0 or later from the official Apache website. 3. Stop all Ozone services. 4. Upgrade to the patched version following the official upgrade guide. 5. Restart Ozone services and verify functionality.

🔧 Temporary Workarounds

Restrict S3 Credential Access

all

Limit S3 credential issuance to only trusted users who require it, reducing the attack surface.

Review and audit all S3 credential assignments in Ozone

Network Segmentation

all

Isolate Ozone S3 endpoints from untrusted networks and implement strict firewall rules.

Configure firewall to restrict access to Ozone S3 ports (default 9878) to only trusted IPs

🧯 If You Can't Patch

Implement strict access controls and monitor all S3 credential usage for suspicious activity
Segment Ozone deployment and limit exposure to only essential users and services

🔍 How to Verify

Check if Vulnerable:

Check your Apache Ozone version. If it's below 1.2.0 and you have S3 credentials configured, you are vulnerable.

Check Version:

ozone version

Verify Fix Applied:

After upgrading to 1.2.0 or later, verify the version and test that authenticated users cannot impersonate others via OM requests.

📡 Detection & Monitoring

Log Indicators:

Unusual OM request patterns from S3 authenticated users
Multiple user impersonation attempts in OM logs
Failed authorization attempts followed by successful requests from same source

Network Indicators:

Unusual volume of OM requests from S3 endpoints
Requests attempting to modify user permissions or access tokens

SIEM Query:

source="ozone.log" AND ("OM request" OR "impersonation" OR "user context") AND severity=WARN|ERROR

📊 Metadata

CVE ID: CVE-2021-39236

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/11/19/7 Mailing List,Third Party Advisory
https://issues.apache.org/jira/browse/HDDS-4763 Exploit
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E Mailing List,Mitigation,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/11/19/7 Mailing List,Third Party Advisory
https://issues.apache.org/jira/browse/HDDS-4763 Exploit
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3E Mailing List,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39236, you might also want to check these: