Regards, Vasu
Vasu M Deshpande +91-97422-04624 India +1-408-663-2260 USA [email protected] www.easylibsoft.com > On Nov 8, 2017, at 12:21 PM, Akira Ajisaka <[email protected]> wrote: > > Hello, > > The following security vulnerability was found and fixed in Apache Hadoop. > > [also announced on [email protected]] > > ------- > > CVE-2017-3166: Apache Hadoop Privilege escalation vulnerability > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Hadoop 2.6.1+, 2.7.x before 2.7.4, 3.0.0-alpha before 3.0.0-alpha4 > > Description: > In a cluster where the YARN user has been granted access to all HDFS > encryption keys, if a file in an encryption zone with access permissions > that make it world readable is localized via YARN's localization mechanism, > e.g. via the MapReduce distributed cache, that file will be stored > in a world-readable location and shared freely with any application > that requests to localize that file, no matter who the application owner > is or whether that user should be allowed to access files from the > target encryption zone. > > Mitigation: > Users on 2.6.1+ and 2.7.x before 2.7.4 should upgrade to 2.7.4 or later > Users on 3.0.0-alpha before 3.0.0-alpha4 should upgrade to 3.0.0-alpha4 or > later > > Impact: > Users may gain access to files that should be protected by HDFS > transparent encryption if those files have world readable access > permissions and are localized through YARN's localization mechanism > in a cluster where YARN has been granted access to all HDFS encryption keys. > > Credit: > This issue was discovered by Luke Herbert. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
