| |
| |
| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| |
| <meta name="description" content=""> |
| <meta name="author" content=""> |
| <link rel="icon" href="/favicon.ico"> |
| <base href="https://hadoop.apache.org"> |
| <title>Apache Hadoop</title> |
| |
| |
| <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> |
| |
| |
| <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"> |
| <link rel="stylesheet" href="/css/hadoop.css"> |
| |
| |
| |
| </head> |
| |
| <body> |
| |
| <nav class="navbar navbar-inverse navbar-fixed-top"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <img class="navbar-logo" src="/elephant.png"> |
| <a class="navbar-brand" href="/"> Apache Hadoop</a> |
| </div> |
| |
| <div id="navbar" class="navbar-collapse collapse"> |
| <ul class="nav navbar-nav"> |
| |
| |
| |
| <li class=""><a href="releases.html">Download</a></li> |
| |
| |
| |
| <li class="dropdown "> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Documentation <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="https://hadoop.apache.org/docs/current/">Latest</a></li> |
| |
| <li ><a href="https://hadoop.apache.org/docs/stable/">Stable</a></li> |
| |
| |
| <li role="separator" class="divider"></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r3.3.1/">3.3.1</a></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r3.2.2/">3.2.2</a></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r2.10.1/">2.10.1</a></li> |
| |
| <li><a href="https://hadoop.apache.org/docs/r3.1.4/">3.1.4</a></li> |
| |
| <li role="separator" class="divider"></li> |
| <li><a href="https://wiki.apache.org/hadoop">Wiki</a></li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class="dropdown active"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Community <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="/bylaws.html">Bylaws</a></li> |
| |
| <li ><a href="/committer_criteria.html">Criteria for Committership</a></li> |
| |
| <li ><a href="/mailing_lists.html">Mailing lists</a></li> |
| |
| <li ><a href="/cve_list.html">Published CVEs</a></li> |
| |
| <li ><a href="/who.html">Who We are</a></li> |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class="dropdown "> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Development <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute">How to Contribute</a></li> |
| |
| <li ><a href="/issue_tracking.html">Issue Tracking</a></li> |
| |
| <li ><a href="/version_control.html">Version Control</a></li> |
| |
| <li ><a href="/versioning.html">Versioning</a></li> |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| <li class="dropdown "> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Help <span class="caret"></span></a> |
| <ul class="dropdown-menu"> |
| |
| <li ><a href="https://www.cafepress.com/hadoop">Buy Stuff</a></li> |
| |
| <li ><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| |
| <li ><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| |
| |
| </ul> |
| </li> |
| |
| |
| </ul> |
| <ul class="nav navbar-nav navbar-right"> |
| <li> |
| <a href="https://www.apache.org/">Apache Software Foundation <span class="glyphicon glyphicon-new-window" aria-hidden="true"></span></a> |
| </li> |
| |
| |
| </ul> |
| </div> |
| |
| </div> |
| </nav> |
| |
| <div class="container"> |
| <h1>Hadoop CVE List</h1> |
| <!--- |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. See accompanying LICENSE file. |
| --> |
| <p>This page lists security fixes that the Hadoop PMC felt warranted a CVE. If you think something is missing from this list or if you think the set of impacted or fixed versions is incomplete then please <a href="mailing_lists.html#Security">ask on the Security list</a>.</p> |
| <p>CVEs are presented in most-recent-first order of announcement.</p> |
| <!-- These should be sorted as most-recent-first. Please copy this template and fill in as needed. |
| |
| ## [CVE-YYYY-XXXX](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-XXXX) Short Description |
| |
| One paragraph summary goes here. Don't need nuts-and-bolts detail, just enough for a reader to guage applicability to their deployment. |
| |
| - **Versions affected**: |
| - **Fixed versions**: |
| - **Impact**: |
| - **Reporter**: |
| - **Reported Date**: |
| - **Issue Announced**: |
| --> |
| <h2 id="cve-2020-9492httpcvemitreorgcgi-bincvenamecginamecve-2020-9492-apache-hadoop-potential-privilege-escalation"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9492">CVE-2020-9492</a> Apache Hadoop Potential privilege escalation</h2> |
| <p>WebHDFS client might send SPNEGO authorization header to remote URL |
| without proper verification. A crafty user can trigger services to |
| send server credentials to a webhdfs path for capturing the service |
| principal.</p> |
| <p>Users of the affected versions should apply either of the following mitigations:</p> |
| <ul> |
| <li>Set different http signature secrets and use dedicated hosts for each privileged impersonation service (such as HiveServer2).</li> |
| <li>Upgrade to 3.3.0, 3.2.2, 3.1.4, 2.10.1, or newer with TLS encryption enabled and configure dfs.http.policy to HTTPS_ONLY.</li> |
| </ul> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0</li> |
| <li><strong>Fixed versions</strong>: 3.2.2, 3.1.4, 2.10.1</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Kevin Risden</li> |
| <li><strong>Reported Date</strong>: 2020/03/17</li> |
| <li><strong>Issue Announced</strong>: 2021/01/26 (<a href="https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11764httpcvemitreorgcgi-bincvenamecginamecve-2018-11764-apache-hadoop-privilege-escalation-in-web-endpoint"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11764">CVE-2018-11764</a> Apache Hadoop Privilege escalation in web endpoint</h2> |
| <p>Web endpoint authentication check is broken. Authenticated users may |
| impersonate any user even if no proxy user is configured.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha4, 3.0.0-beta1, 3.0.0</li> |
| <li><strong>Fixed versions</strong>: 3.0.1</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Daryn Sharp</li> |
| <li><strong>Reported Date</strong>: 2018/03/17</li> |
| <li><strong>Issue Announced</strong>: 2020/10/21 (<a href="https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11765httpcvemitreorgcgi-bincvenamecginamecve-2018-11765-potential-information-disclosure-in-apache-hadoop-web-interfaces"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11765">CVE-2018-11765</a> Potential information disclosure in Apache Hadoop Web interfaces</h2> |
| <p>When Kerberos authentication is enabled and SPNEGO through HTTP is not enabled, |
| any users can access some servlets without authentication.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5</li> |
| <li><strong>Fixed versions</strong>: 3.0.1, 2.10.0</li> |
| <li><strong>Impact</strong>: information disclosure</li> |
| <li><strong>Reporter</strong>: Larry McCay (Discovered by Owen O’Malley)</li> |
| <li><strong>Reported Date</strong>: 2018/03/11</li> |
| <li><strong>Issue Announced</strong>: 2020/09/28 (<a href="https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11768httpcvemitreorgcgi-bincvenamecginamecve-2018-11768-apache-hadoop-hdfs-fsimage-corruption"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768">CVE-2018-11768</a> Apache Hadoop HDFS FSImage Corruption</h2> |
| <p>There is a mismatch in the size of the fields used to store user/group |
| information between memory and disk representation. This causes the user/group |
| information to be corrupted across storing in fsimage and reading back from |
| fsimage.</p> |
| <p>This vulnerability fix contains a fsimage layout change, so once the image is |
| saved in the new layout format you cannot go back to a version that doesn’t |
| support the newer layout. This means that once 2.7.x users upgraded to the |
| fixed version, they cannot downgrade to 2.7.x because there is no fixed version |
| in 2.7.x. We suggest downgrade to 2.8.5 or upper version that contains the |
| vulnerability fix.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, 2.0.0-alpha to 2.8.4</li> |
| <li><strong>Fixed versions</strong>: 3.1.2, 2.9.2, 2.8.5</li> |
| <li><strong>Impact</strong>: information disclosure</li> |
| <li><strong>Reporter</strong>: Ekanth Sethuramalingam</li> |
| <li><strong>Reported Date</strong>: 2018/06/05</li> |
| <li><strong>Issue Announced</strong>: 2019/10/03 (<a href="https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-8029httpcvemitreorgcgi-bincvenamecginamecve-2018-8029-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029">CVE-2018-8029</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>A user who can escalate to yarn user can possibly run arbitrary |
| commands as root user.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4</li> |
| <li><strong>Fixed versions</strong>: 3.1.1, 2.9.2, 2.8.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Miklos Szegedi</li> |
| <li><strong>Reported Date</strong>: 2018/05/08</li> |
| <li><strong>Issue Announced</strong>: 2019/05/30 (<a href="https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11767httpcvemitreorgcgi-bincvenamecginamecve-2018-11767-apache-hadoop-kms-acl-regression"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11767">CVE-2018-11767</a> Apache Hadoop KMS ACL regression</h2> |
| <p>After the security fix for CVE-2017-15713, KMS has an access control regression, |
| blocking users or granting access to users incorrectly, if the system |
| uses non-default groups mapping mechanisms such as LdapGroupsMapping, |
| CompositeGroupsMapping, or NullGroupsMapping.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6</li> |
| <li><strong>Fixed versions</strong>: 2.9.2, 2.8.5, 2.7.7</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Wei-Chiu Chuang</li> |
| <li><strong>Reported Date</strong>: 2018/05/09</li> |
| <li><strong>Issue Announced</strong>: 2019/03/11 (<a href="https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-1296httpcvemitreorgcgi-bincvenamecginamecve-2018-1296-apache-hadoop-hdfs-permissive-listxattr-authorization"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1296">CVE-2018-1296</a> Apache Hadoop HDFS Permissive listXAttr Authorization</h2> |
| <p>HDFS exposes extended attribute key/value pairs during listXAttrs, |
| verifying only path-level search access to the directory rather than |
| path-level read permission to the referent. This affects features that |
| store sensitive data in extended attributes, such as HDFS encryption |
| secrets.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5</li> |
| <li><strong>Fixed versions</strong>: 3.0.1, 2.9.1, 2.8.4, 2.7.6</li> |
| <li><strong>Impact</strong>: information disclosure</li> |
| <li><strong>Reporter</strong>: Rushabh Shah</li> |
| <li><strong>Reported Date</strong>: 2018/02/09</li> |
| <li><strong>Issue Announced</strong>: 2019/01/24 (<a href="https://lists.apache.org/thread.html/752d5fe697ca6be6f472eabb1bcae7961a47d416e4013ac803a2ab2c@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-11766httpcvemitreorgcgi-bincvenamecginamecve-2018-11766-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11766">CVE-2018-11766</a> Apache Hadoop privilege escalation vulnerability</h2> |
| <p>In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is |
| incomplete. A user who can escalate to yarn user can possibly run arbitrary |
| commands as root user.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.7.4 to 2.7.6</li> |
| <li><strong>Fixed versions</strong>: 2.7.7</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Wilfred Spiegelenburg</li> |
| <li><strong>Reported Date</strong>: 2018/05/04</li> |
| <li><strong>Issue Announced</strong>: 2018/11/27 (<a href="https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2018-8009httpcvemitreorgcgi-bincvenamecginamecve-2018-8009-apache-hadoop-distributed-cache-archive-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009">CVE-2018-8009</a> Apache Hadoop distributed cache archive vulnerability</h2> |
| <p>Vulnerability allows a cluster user to publish a public |
| archive that can affect other files owned by the user running the YARN |
| NodeManager daemon. If the impacted files belong to another already |
| localized, public archive on the node then code can be injected into |
| the jobs of other cluster users using the public archive.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11</li> |
| <li><strong>Fixed versions</strong>: 3.1.1, 3.0.3, 2.9.2, 2.8.5, 2.7.7</li> |
| <li><strong>Impact</strong>: injection attack</li> |
| <li><strong>Credit</strong>: Snyk Security Research Team</li> |
| <li><strong>Reported Date</strong>: 2018/04/19</li> |
| <li><strong>Issue Announced</strong>: 2018/11/22 (<a href="https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2016-6811httpcvemitreorgcgi-bincvenamecginamecve-2016-6811-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811">CVE-2016-6811</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>A user who can escalate to yarn user can possibly run arbitrary commands as root user.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.2.0 to 2.7.3</li> |
| <li><strong>Fixed versions</strong>: 2.7.4 or newer</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Freddie Rice</li> |
| <li><strong>Reported Date</strong>: 2016/07/06</li> |
| <li><strong>Issue Announced</strong>: 2018/05/01 (<a href="https://lists.apache.org/thread.html/ff3859a2188c3662240311acddba9cf97992b839792ec0a14d61b4e5@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <p>Note: The fix for this vulnerability is incomplete in Apache Hadoop 2.7.4 to 2.7.6 (CVE-2018-11766).</p> |
| <h2 id="cve-2017-15718httpcvemitreorgcgi-bincvenamecginamecve-2017-15718-apache-hadoop-yarn-nodemanager-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718">CVE-2017-15718</a> Apache Hadoop YARN NodeManager vulnerability</h2> |
| <p>In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. |
| The YARN NodeManager can leak the password for credential store provider |
| used by the NodeManager to YARN Applications.</p> |
| <p>If you use the CredentialProvider feature to encrypt passwords used in |
| NodeManager configs, it may be possible for any Container launched |
| by that NodeManager to gain access to the encryption password. |
| The other passwords themselves are not directly exposed.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 2.7.3, 2.7.4</li> |
| <li><strong>Fixed versions</strong>: 2.7.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Vinayakumar B.</li> |
| <li><strong>Reported Date</strong>: 2017/09/18</li> |
| <li><strong>Issue Announced</strong>: 2018/01/24 (<a href="https://lists.apache.org/thread.html/23a277506bc0d85c1bbe5c0766ffe55e8c3923c8d6f58893b6966957@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2017-15713httpcvemitreorgcgi-bincvenamecginamecve-2017-15713-apache-hadoop-mapreduce-job-history-server-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713">CVE-2017-15713</a> Apache Hadoop MapReduce job history server vulnerability</h2> |
| <p>Vulnerability allows a cluster user to expose private files |
| owned by the user running the MapReduce job history server process. |
| The malicious user can construct a configuration file containing XML |
| directives that reference sensitive files on the MapReduce job history |
| server host.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha to 3.0.0-beta1, 2.8.0 to 2.8.2, 2.0.0-alpha to 2.7.4, 0.23.0 to 0.23.11</li> |
| <li><strong>Fixed versions</strong>: 3.0.0, 2.9.0, 2.8.3, 2.7.5</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Man Yue Mo of lgtm.com</li> |
| <li><strong>Reported Date</strong>: 2017/06/30</li> |
| <li><strong>Issue Announced</strong>: 2018/01/19 (<a href="https://lists.apache.org/thread.html/9e5d86d5792d04f8a3b458f735e63fa9bdfe28ff454de257a2e02f18@%3Cuser.hadoop.apache.org%3E">user@hadoop</a>)</li> |
| </ul> |
| <h2 id="cve-2017-3166httpcvemitreorgcgi-bincvenamecginamecve-2017-3166-apache-hadoop-privilege-escalation-vulnerability"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166">CVE-2017-3166</a> Apache Hadoop Privilege escalation vulnerability</h2> |
| <p>In a cluster where the YARN user has been granted access to all HDFS |
| encryption keys, if a file in an encryption zone with access permissions |
| that make it world readable is localized via YARN’s localization mechanism, |
| e.g. via the MapReduce distributed cache, that file will be stored |
| in a world-readable location and shared freely with any application |
| that requests to localize that file, no matter who the application owner |
| is or whether that user should be allowed to access files from the |
| target encryption zone.</p> |
| <ul> |
| <li><strong>Versions affected</strong>: 3.0.0-alpha1 - 3.0.0-alpha3 , 2.7.0 to 2.7.3, 2.6.1-2.6.5</li> |
| <li><strong>Fixed versions</strong>: 3.0.0-alpha4, 2.8.0, 2.7.4</li> |
| <li><strong>Impact</strong>: privilege escalation</li> |
| <li><strong>Reporter</strong>: Luke Herbert</li> |
| <li><strong>Reported Date</strong>: 2016/11/18</li> |
| <li><strong>Issue Announced</strong>: 2017/11/08 (<a href="https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E">general@hadoop</a>)</li> |
| </ul> |
| |
| </div> |
| |
| <div class="container"> |
| <footer class="footer container"> |
| <div class="col-md-6"> |
| <p>Apache Hadoop, Hadoop, Apache, the Apache feather logo, |
| and the Apache Hadoop project logo are either registered trademarks or trademarks of the Apache Software Foundation |
| in the United States and other countries</p> |
| <p>Copyright © 2006-2021 The Apache Software Foundation</p> |
| <p><a href="/privacy_policy.html">Privacy policy</a></p> |
| </div> |
| <div class="col-md-6"> |
| <img class="img-responsive" src="/asf_logo_wide.png"/> |
| </div> |
| </footer> |
| </div> |
| |
| |
| <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script> |
| <script>window.jQuery || document.write('<script src="../../assets/js/vendor/jquery.min.js"><\/script>')</script> |
| <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script> |
| <script> |
| $(function() { $('table').addClass('table table-striped'); }) |
| </script> |
| |
| <script type="application/javascript"> |
| var doNotTrack = false; |
| if (!doNotTrack) { |
| (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ |
| (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), |
| m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) |
| })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); |
| ga('create', 'UA-7453027-1', 'auto'); |
| |
| ga('send', 'pageview'); |
| } |
| </script> |
| </body> |
| </html> |
| |