Missing authentication/authorization on internal RPC endpoints
Description
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Ozone <1.2.0, unauthenticated internal RPC endpoints let attackers download raw data and modify Ratis replication config.
Vulnerability
In Apache Ozone versions prior to 1.2.0, various internal server-to-server RPC endpoints are exposed without proper authentication or authorization [1][3]. This affects communication between Datanodes and the Ozone Manager, as well as endpoints involved in Ratis replication configuration [3]. The code paths are reachable by any network entity that can connect to these internal RPC ports [1].
Exploitation
An attacker with network access to the internal RPC ports can connect to these unprotected endpoints [1][3]. No authentication or prior privileges are required [3]. The attacker can issue requests to download raw data from Datanodes and the Ozone Manager, or modify the Ratis replication configuration [1][3].
Impact
Successful exploitation allows an attacker to download raw data from Datanodes and the Ozone Manager, leading to unauthorized information disclosure [1][3]. Additionally, the attacker can modify the Ratis replication configuration, potentially affecting data redundancy and consistency [1][3]. The impact is a breach of confidentiality and integrity of the storage system [1][3].
Mitigation
Apache has released version 1.2.0 of Ozone, which fixes this issue [3]. Users should upgrade to Apache Ozone 1.2.0 or later [3]. No workarounds are mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ozone:ozone-mainMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Apache Software Foundation/Apache Ozonev5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3w5h-x4rh-hc28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39231ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/11/19/2ghsamailing-listx_refsource_MLISTWEB
- mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.