Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 19 Jan 2018 08:46:40 -0600
From: Jason Lowe <jlowe@...che.org>
To: general@...oop.apache.org, user@...oop.apache.org, 
	Hadoop Common <common-dev@...oop.apache.org>, 
	"<security@...oop.apache.org>" <security@...oop.apache.org>, full-disclosure@...ts.grok.org.uk, 
	bugtraq@...urityfocus.com, oss-security@...ts.openwall.com
Subject: CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability

CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability

Severity: Severe

Vendor: The Apache Software Foundation

Versions Affected:
  Hadoop 0.23.0 to 0.23.11
  Hadoop 2.0.0-alpha to 2.8.2
  Hadoop 3.0.0-alpha to 3.0.0-beta1

Users affected: Users running the MapReduce job history server daemon

Impact:  Vulnerability allows a cluster user to expose private files
owned by the user running the MapReduce job history server process.
The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history
server host.

Mitigation: Users should upgrade to Apache Hadoop 2.7.5, 2.8.3, 2.9.0, or 3.0.0.

Credit: This issue was discovered by Man Yue Mo of lgtm.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.