Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Feb 2018 14:09:50 -0800
From: Rohini Palaniswamy <rohini@...che.org>
To: dev@...ie.apache.org, user@...ie.apache.org, announce@...che.org, 
	security@...che.org, oss-security@...ts.openwall.com
Subject: [CVE-2017-15712] Apache Oozie Server vulnerability

Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs.

Severity: Severe

Vendor:
The Apache Software Foundation

Versions Affected:
Oozie 3.1.3-incubating to Oozie 4.3.0
Oozie 5.0.0-beta1

Description:
Vulnerability allows a user of Oozie to expose private files on the Oozie
server process.  The malicious user can construct a workflow XML file
containing XML directives and configuration that reference sensitive files
on the Oozie server host.

Mitigation:
Users should upgrade to Apache Oozie 4.3.1 release from
http://oozie.apache.org/ .
Users should use 5.0.0-beta1 release only for testing purposes and wait for
the 5.0.0 GA which will have the fix.

Credit:
The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly
Yahoo! Inc).

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ