Mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Fwd: [SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure
Date Sat, 17 Dec 2016 01:36:19 GMT
FYI


---------- Forwarded message ----------
From: Arpit Agarwal <aagarwal@hortonworks.com>
Date: Fri, Dec 16, 2016 at 1:31 PM
Subject: [SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure
To: "general@hadoop.apache.org" <general@hadoop.apache.org>
Cc: "security@hadoop.apache.org" <security@hadoop.apache.org>


Hello,

The following security vulnerability was found and fixed in Apache Hadoop.

[also announced on bugtraq@securityfocus.com, oss-security@lists.openwall.com]

-------

CVE-2016-5001: Apache Hadoop Information Disclosure

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier.

Description:
This is an information disclosure vulnerability in the short-circuit
reads feature of HDFS. A local user on an HDFS DataNode may be able to
craft a block token that grants unauthorized read access to random
files by guessing certain fields in the token.

Mitigation:
Users on 2.7.x should upgrade to 2.7.2 or later.
Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later.

Impact:
A local user may be able to gain unauthorized read access to files.

Credit:
This issue was reported by Kihwal Lee of Yahoo Inc.


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@hadoop.apache.org
For additional commands, e-mail: general-help@hadoop.apache.org

Mime
View raw message