Date: Thu, 15 Feb 2018 14:09:50 -0800 From: Rohini Palaniswamy <rohini@...che.org> To: dev@...ie.apache.org, user@...ie.apache.org, announce@...che.org, security@...che.org, oss-security@...ts.openwall.com Subject: [CVE-2017-15712] Apache Oozie Server vulnerability Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs. Severity: Severe Vendor: The Apache Software Foundation Versions Affected: Oozie 3.1.3-incubating to Oozie 4.3.0 Oozie 5.0.0-beta1 Description: Vulnerability allows a user of Oozie to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sensitive files on the Oozie server host. Mitigation: Users should upgrade to Apache Oozie 4.3.1 release from http://oozie.apache.org/ . Users should use 5.0.0-beta1 release only for testing purposes and wait for the 5.0.0 GA which will have the fix. Credit: The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly Yahoo! Inc).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ