Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q@mail.gmail.com>
Date: Mon, 28 Nov 2016 16:04:45 -0800
From: Yongjun Zhang <yjzhangal@...che.org>
To: security@...che.org, oss-security@...ts.openwall.com, 
	bugtraq@...urityfocus.com, general@...oop.apache.org
Subject: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Hi,

Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.

Thanks and best regards,

--Yongjun

----------

CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Severity: Critical



Vendor:

The Apache Software Foundation



Versions Affected:

Hadoop 2.6.x, 2.7.x



Description:

A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands as the hdfs user.



Mitigation:

2.7.x users should upgrade to 2.7.3

2.6.x users should upgrade to 2.6.5



Impact:

A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands with the same privileges as HDFS service.



Credit:

This issue was discovered by Freddie Rice.

----------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.