Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 29 Nov 2016 04:07:25 +0000
From: Zhe Zhang <zhz@...che.org>
To: Yongjun Zhang <yjzhangal@...che.org>, security@...che.org, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, 
	general@...oop.apache.org
Subject: Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Thanks for the note Yongjun! Does HADOOP-13434
<https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?

On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal@...che.org> wrote:

> Hi,
>
> Please see below the official announcement of a critical security
> vulnerability that's discovered and subsequently fixed in Apache Hadoop
> releases.
>
> Thanks and best regards,
>
> --Yongjun
>
> ----------
>
> CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
>
> Severity: Critical
>
>
>
> Vendor:
>
> The Apache Software Foundation
>
>
>
> Versions Affected:
>
> Hadoop 2.6.x, 2.7.x
>
>
>
> Description:
>
> A remote user who can authenticate with the HDFS NameNode can possibly run
> arbitrary commands as the hdfs user.
>
>
>
> Mitigation:
>
> 2.7.x users should upgrade to 2.7.3
>
> 2.6.x users should upgrade to 2.6.5
>
>
>
> Impact:
>
> A remote user who can authenticate with the HDFS NameNode can possibly run
> arbitrary commands with the same privileges as HDFS service.
>
>
>
> Credit:
>
> This issue was discovered by Freddie Rice.
>
> ----------
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ