Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 16 Dec 2016 21:31:34 +0000
From: Arpit Agarwal <aagarwal@...tonworks.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure

CVE-2016-5001: Apache Hadoop Information Disclosure

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier.

Description:
This is an information disclosure vulnerability in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Mitigation:
Users on 2.7.x should upgrade to 2.7.2 or later.
Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later.

Impact:
A local user may be able to gain unauthorized read access to files.

Credit:
This issue was reported by Kihwal Lee of Yahoo Inc.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ