www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohini Palaniswamy <roh...@apache.org>
Subject [CVE-2017-15712] Apache Oozie Server vulnerability
Date Thu, 15 Feb 2018 22:09:50 GMT
Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs.

Severity: Severe

The Apache Software Foundation

Versions Affected:
Oozie 3.1.3-incubating to Oozie 4.3.0
Oozie 5.0.0-beta1

Vulnerability allows a user of Oozie to expose private files on the Oozie
server process.  The malicious user can construct a workflow XML file
containing XML directives and configuration that reference sensitive files
on the Oozie server host.

Users should upgrade to Apache Oozie 4.3.1 release from
http://oozie.apache.org/ .
Users should use 5.0.0-beta1 release only for testing purposes and wait for
the 5.0.0 GA which will have the fix.

The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly
Yahoo! Inc).

View raw message