CVE-2021-39236: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2021-39236) was identified in Apache Ozone versions prior to 1.2.0. The vulnerability was discovered and reported by Marton Elek, affecting the authentication mechanism of Apache Ozone's S3 token validation system. The issue was officially disclosed on November 18, 2021 (OSS Security).

The vulnerability exists in Apache Ozone's delegation token system, which has two flavors: delegation token based on public key infrastructure provided by SCM CA, and S3 token. The S3 token contains information required to validate S3 HTTP requests, including AWS access key ID, string2sign, and signature. While OM can verify the signature based on stored information in OzoneTokenInfo, the critical flaw lies in the owner field validation process. When a request is authenticated, the owner field is used for subsequent authentication, but its content remains unvalidated (Apache JIRA).

The vulnerability allows authenticated users with valid Ozone S3 credentials to create specific OM requests while impersonating any other user. This could lead to unauthorized access and potential privilege escalation within the system (OSS Security).

The recommended mitigation is to upgrade to Apache Ozone release version 1.2.0 or later, which contains the fix for this vulnerability. The fix involves implementing proper validation of the owner field in S3AUTHINFO type delegation tokens (OSS Security).