Date: Fri, 19 Jan 2018 08:46:40 -0600 From: Jason Lowe <jlowe@...che.org> To: general@...oop.apache.org, user@...oop.apache.org, Hadoop Common <common-dev@...oop.apache.org>, "<security@...oop.apache.org>" <security@...oop.apache.org>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, oss-security@...ts.openwall.com Subject: CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability Severity: Severe Vendor: The Apache Software Foundation Versions Affected: Hadoop 0.23.0 to 0.23.11 Hadoop 2.0.0-alpha to 2.8.2 Hadoop 3.0.0-alpha to 3.0.0-beta1 Users affected: Users running the MapReduce job history server daemon Impact: Vulnerability allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. Mitigation: Users should upgrade to Apache Hadoop 2.7.5, 2.8.3, 2.9.0, or 3.0.0. Credit: This issue was discovered by Man Yue Mo of lgtm.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.