High severityNVD Advisory· Published Nov 19, 2021· Updated Aug 4, 2024

Owners of the S3 tokens are not validated

CVE-2021-39236

Description

In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Apache Ozone <1.2.0, authenticated S3 users can impersonate any other user by crafting OM requests with a forged owner field.

Vulnerability

Apache Ozone up to version 1.2.0 allows authenticated users with valid S3 credentials to create specific Ozone Manager (OM) requests that impersonate any other user. The root cause is that the owner field in S3 authentication tokens is not validated against the AWS access ID, allowing an attacker to set a different owner [1][3]. This affects all versions before 1.2.0 [1].

Exploitation

An attacker needs valid Ozone S3 credentials (AWS access key and secret key) and network access to the Ozone cluster. Using these credentials, they can craft an S3 authentication token (delegation token) with an arbitrary owner field while keeping the correct signature and string-to-sign [3]. The Ozone Manager does not verify that the owner matches the authenticated user, so the impersonated owner is used for authorization checks [3][4].

Impact

Successful exploitation allows an attacker to perform any action that the impersonated user is authorized to do, including creating volumes, buckets, or accessing data. This can lead to unauthorized data access, modification, or deletion, with potential privilege escalation if the impersonated user has administrative privileges [1][3].

Mitigation

The vulnerability is fixed in Apache Ozone 1.2.0 [1]. The fix was implemented in commit 60e078729e18ef1be276f35659957ac553d266f7, which adds validation of the owner field against the AWS access ID in the validateS3AuthInfo method [4]. Users should upgrade to version 1.2.0 or later. No workaround is documented; upgrading is recommended.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.hadoop:hadoop-ozone-ozone-managerMaven	< 1.2.0	1.2.0

Affected products

Apache/Ozonellm-fuzzy
Range: <1.2.0
ghsa-coords
pkg:maven/org.apache.hadoop/hadoop-ozone-ozone-manager
Range: < 1.2.0
Apache Software Foundation/Apache Ozonev5
Range: 1.0

Patches

60e078729e18

HDDS-4763. Owner field of S3AUTHINFO type delegation token should be validated (#1871)

https://github.com/apache/ozoneElek, MártonFeb 2, 2021via ghsa

commit

2 files changed · +28 −13

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java+13 −0 modified

@@ -472,6 +472,19 @@ public boolean verifySignature(OzoneTokenIdentifier identifier,
   private byte[] validateS3AuthInfo(OzoneTokenIdentifier identifier)
       throws InvalidToken {
     LOG.trace("Validating S3AuthInfo for identifier:{}", identifier);
+    if (identifier.getOwner() == null) {
+      throw new InvalidToken(
+          "Owner is missing from the S3 auth token");
+    }
+    if (!identifier.getOwner().toString().equals(identifier.getAwsAccessId())) {
+      LOG.error(
+          "Owner and AWSAccessId is different in the S3 token. Possible "
+              + " security attack: {}",
+          identifier);
+      throw new InvalidToken(
+          "Invalid S3 identifier: owner=" + identifier.getOwner()
+              + ", awsAccessId=" + identifier.getAwsAccessId());
+    }
     String awsSecret;
     try {
       awsSecret = s3SecretManager.getS3UserSecretString(identifier

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java+15 −13 modified

@@ -18,6 +18,16 @@
 
 package org.apache.hadoop.ozone.security;
 
+import java.io.File;
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Map;
+
 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
 import org.apache.hadoop.hdds.security.x509.SecurityConfig;
 import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
@@ -36,26 +46,16 @@
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.test.LambdaTestUtils;
 import org.apache.hadoop.util.Time;
+
+import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY;
+import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 
-import java.io.File;
-import java.io.IOException;
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.cert.X509Certificate;
-import java.util.HashMap;
-import java.util.Map;
-
-import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_RATIS_ENABLE_KEY;
-import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
-
 /**
  * Test class for {@link OzoneDelegationTokenSecretManager}.
  */
@@ -342,6 +342,7 @@ public void testValidateS3AUTHINFOSuccess() throws Exception {
         "20190221/us-west-1/s3/aws4_request\n" +
         "c297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
     identifier.setAwsAccessId("testuser1");
+    identifier.setOwner(new Text("testuser1"));
     secretManager.retrievePassword(identifier);
   }
 
@@ -360,6 +361,7 @@ public void testValidateS3AUTHINFOFailure() throws Exception {
         "20190221/us-west-1/s3/aws4_request\n" +
         "c297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
     identifier.setAwsAccessId("testuser2");
+    identifier.setOwner(new Text("testuser2"));
     // Case 1: User don't have aws secret set.
     LambdaTestUtils.intercept(SecretManager.InvalidToken.class, " No S3 " +
             "secret found for S3 identifier",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5993-wwpg-m92cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-39236ghsaADVISORY
www.openwall.com/lists/oss-security/2021/11/19/7ghsamailing-listx_refsource_MLISTWEB
github.com/apache/ozone/commit/60e078729e18ef1be276f35659957ac553d266f7ghsaWEB
github.com/apache/ozone/pull/1871ghsaWEB
issues.apache.org/jira/browse/HDDS-4763ghsaissue-trackingWEB
lists.apache.org/thread/q0lhspolnwfbsw33w98b7b1923n1np4dghsaWEB
mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C0fd74baa-88a0-39a2-8f3a-b982acb25d5a%40apache.org%3Eghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000