Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 29 Nov 2016 07:15:36 -0800
From: Yongjun Zhang <yzhang@...udera.com>
To: Zhe Zhang <zhe.zhang.research@...il.com>
Cc: security@...che.org, oss-security@...ts.openwall.com, 
	bugtraq@...urityfocus.com, general@...oop.apache.org
Subject: Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Hi Zhe,

Please refer to  https://www.apache.org/security/ for details.

Thanks.

--Yongjun

On Mon, Nov 28, 2016 at 10:26 PM, Zhe Zhang <zhe.zhang.research@...il.com>
wrote:

> Thanks for the note Yongjun! Does HADOOP-13434
> <https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?
>
> On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal@...che.org>
> wrote:
>
> > Hi,
> >
> > Please see below the official announcement of a critical security
> > vulnerability that's discovered and subsequently fixed in Apache Hadoop
> > releases.
> >
> > Thanks and best regards,
> >
> > --Yongjun
> >
> > ----------
> >
> > CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
> >
> > Severity: Critical
> >
> >
> >
> > Vendor:
> >
> > The Apache Software Foundation
> >
> >
> >
> > Versions Affected:
> >
> > Hadoop 2.6.x, 2.7.x
> >
> >
> >
> > Description:
> >
> > A remote user who can authenticate with the HDFS NameNode can possibly
> run
> > arbitrary commands as the hdfs user.
> >
> >
> >
> > Mitigation:
> >
> > 2.7.x users should upgrade to 2.7.3
> >
> > 2.6.x users should upgrade to 2.6.5
> >
> >
> >
> > Impact:
> >
> > A remote user who can authenticate with the HDFS NameNode can possibly
> run
> > arbitrary commands with the same privileges as HDFS service.
> >
> >
> >
> > Credit:
> >
> > This issue was discovered by Freddie Rice.
> >
> > ----------
> >
> --
> Zhe Zhang
> Apache Hadoop Committer
> http://zhe-thoughts.github.io/about/ | @oldcap
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ