bigtop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Fwd: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
Date Tue, 29 Nov 2016 00:09:12 GMT
FYI


---------- Forwarded message ----------
From: Yongjun Zhang <yjzhangal@apache.org>
Date: Mon, Nov 28, 2016 at 4:04 PM
Subject: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
To: security@apache.org, oss-security@lists.openwall.com,
bugtraq@securityfocus.com, general@hadoop.apache.org


Hi,

Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.

Thanks and best regards,

--Yongjun

----------

CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Severity: Critical



Vendor:

The Apache Software Foundation



Versions Affected:

Hadoop 2.6.x, 2.7.x



Description:

A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands as the hdfs user.



Mitigation:

2.7.x users should upgrade to 2.7.3

2.6.x users should upgrade to 2.6.5



Impact:

A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands with the same privileges as HDFS service.



Credit:

This issue was discovered by Freddie Rice.

----------

Mime
View raw message