Date: Thu, 15 Feb 2018 14:09:50 -0800 From: Rohini Palaniswamy <rohini@...che.org> To: dev@...ie.apache.org, user@...ie.apache.org, announce@...che.org, security@...che.org, oss-security@...ts.openwall.com Subject: [CVE-2017-15712] Apache Oozie Server vulnerability Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs. Severity: Severe Vendor: The Apache Software Foundation Versions Affected: Oozie 3.1.3-incubating to Oozie 4.3.0 Oozie 5.0.0-beta1 Description: Vulnerability allows a user of Oozie to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sensitive files on the Oozie server host. Mitigation: Users should upgrade to Apache Oozie 4.3.1 release from http://oozie.apache.org/ . Users should use 5.0.0-beta1 release only for testing purposes and wait for the 5.0.0 GA which will have the fix. Credit: The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly Yahoo! Inc).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.