Date: Mon, 28 Nov 2016 16:04:45 -0800 From: Yongjun Zhang <yjzhangal@...che.org> To: security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, general@...oop.apache.org Subject: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Hi, Please see below the official announcement of a critical security vulnerability that's discovered and subsequently fixed in Apache Hadoop releases. Thanks and best regards, --Yongjun ---------- CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Hadoop 2.6.x, 2.7.x Description: A remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands as the hdfs user. Mitigation: 2.7.x users should upgrade to 2.7.3 2.6.x users should upgrade to 2.6.5 Impact: A remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as HDFS service. Credit: This issue was discovered by Freddie Rice. ----------
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ