Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C7653200C81 for ; Fri, 26 May 2017 22:20:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C5FC0160BC7; Fri, 26 May 2017 20:20:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 193D6160B9C for ; Fri, 26 May 2017 22:20:13 +0200 (CEST) Received: (qmail 79598 invoked by uid 500); 26 May 2017 20:20:09 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 46634 invoked by uid 99); 26 May 2017 18:26:45 -0000 X-Gm-Message-State: AODbwcDkmkXdNn7bFYTr0aNtmD5lZndlk0nk8leJcs59ZjXVTKoJx8Bu 91uB/iG5tr58w6JrmKzzuGDb1GYflg== X-Received: by 10.107.176.131 with SMTP id z125mr3141830ioe.161.1495823204638; Fri, 26 May 2017 11:26:44 -0700 (PDT) MIME-Version: 1.0 Reply-To: user@knox.apache.org From: larry mccay Date: Fri, 26 May 2017 14:26:44 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS To: user@knox.apache.org, dev@knox.apache.org, security , "" , announce@apache.org, private@knox.apache.org Cc: oss-security@lists.openwall.com, bugtraq@securityfocus.com Content-Type: multipart/alternative; boundary="001a114532bac27ed50550717aa7" archived-at: Fri, 26 May 2017 20:20:15 -0000 --001a114532bac27ed50550717aa7 Content-Type: text/plain; charset="UTF-8" CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS Severity: Important Vendor: The Apache Software Foundation Versions Affected: All versions of Apache Knox prior to 0.12.0 An authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. Mitigation: All users are recommended to upgrade to Apache Knox 0.12.0, where validation, scrubbing and logging of such attempts has been added. The Apache Knox 0.12.0 release can be downloaded from: Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip --001a114532bac27ed50550717aa7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
CVE-2017-5646: Apache Knox Impersonation Issue for We= bHDFS

Severity: Important

Vendor:
The Apache Software Foundation

= Versions Affected:
=C2=A0 =C2=A0 All versions of Apache Knox prio= r to 0.12.0

An authenticated user may use a specia= lly crafted URL to impersonate another
user while accessing WebHD= FS through Apache Knox. This may result in escalated
privileges a= nd unauthorized data access. While this activity is audit logged
= and can be easily associated with the authenticated user, this is still a
serious security issue.

Mitigation:
=
=C2=A0 All users are recommended to upgrade to Apache Knox 0.12.0,
=C2=A0 where validation, scrubbing and logging of such attempts has = been added.

The Apache Knox 0.12.0 release can be = downloaded from:

--001a114532bac27ed50550717aa7--