hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vasu Deshpande <vasu.deshpa...@gmail.com>
Subject Re: [SECURITY] CVE-2017-3166: Apache Hadoop Privilege escalation vulnerability
Date Wed, 08 Nov 2017 11:30:44 GMT


Regards,
Vasu 

Vasu M Deshpande
+91-97422-04624 India
+1-408-663-2260 USA
vasumd@easylibsolutions.com
www.easylibsoft.com


> On Nov 8, 2017, at 12:21 PM, Akira Ajisaka <aajisaka@apache.org> wrote:
> 
> Hello,
> 
> The following security vulnerability was found and fixed in Apache Hadoop.
> 
> [also announced on oss-security@lists.openwall.com]
> 
> -------
> 
> CVE-2017-3166: Apache Hadoop Privilege escalation vulnerability
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Hadoop 2.6.1+, 2.7.x before 2.7.4, 3.0.0-alpha before 3.0.0-alpha4
> 
> Description:
> In a cluster where the YARN user has been granted access to all HDFS
> encryption keys, if a file in an encryption zone with access permissions
> that make it world readable is localized via YARN's localization mechanism,
> e.g. via the MapReduce distributed cache, that file will be stored
> in a world-readable location and shared freely with any application
> that requests to localize that file, no matter who the application owner
> is or whether that user should be allowed to access files from the
> target encryption zone.
> 
> Mitigation:
> Users on 2.6.1+ and 2.7.x before 2.7.4 should upgrade to 2.7.4 or later
> Users on 3.0.0-alpha before 3.0.0-alpha4 should upgrade to 3.0.0-alpha4 or later
> 
> Impact:
> Users may gain access to files that should be protected by HDFS
> transparent encryption if those files have world readable access
> permissions and are localized through YARN's localization mechanism
> in a cluster where YARN has been granted access to all HDFS encryption keys.
> 
> Credit:
> This issue was discovered by Luke Herbert.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@hadoop.apache.org
> For additional commands, e-mail: general-help@hadoop.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@hadoop.apache.org
For additional commands, e-mail: general-help@hadoop.apache.org


Mime
View raw message