[jira] [Updated] (MAPREDUCE-7451) review TrackerDistributedCacheManager.checkPermissionOfOther

Fri, 18 Aug 2023 08:51:09 -0700 


     [ 
https://issues.apache.org/jira/browse/MAPREDUCE-7451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Loughran updated MAPREDUCE-7451:
--------------------------------------
    Summary: review TrackerDistributedCacheManager.checkPermissionOfOther  
(was: Security Vulnerability - Action Required: “Incorrect Permission 
Assignment for Critical Resource” vulnerability in the newest version of hadoop)

> review TrackerDistributedCacheManager.checkPermissionOfOther
> ------------------------------------------------------------
>
>                 Key: MAPREDUCE-7451
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-7451
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>            Reporter: Yiheng Cao
>            Priority: Major
>
>     I think the method 
> {{org.apache.hadoop.filecache.TrackerDistributedCacheManager.checkPermissionOfOther(FileSystem
>  fs, Path path, FsAction action)}} may have an “Incorrect Permission 
> Assignment for Critical Resource”vulnerability which is vulnerable in the 
> newest version of hadoop. It shares similarities to a recent CVE disclosure 
> _CVE-2017-3166_ in the same project _"apache/hadoop"_ project.
>     The vulnerability is present in the class 
> org.apache.hadoop.filecache.TrackerDistributedCacheManager of method 
> checkPermissionOfOther(FileSystem fs, Path path, FsAction action), which is 
> responsible for Checking whether the file system object (FileSystem) at the 
> specified path has additional user permissions for the specified 
> operation(action). {*}But t{*}{*}he check snippet is similar to the 
> vulnerable snippet for CVE-2017-3166{*} and may have the same consequence as 
> CVE-2017-3166:  {*}a file in an encryption zone with access permissions  will 
> be stored in a world-readable location and can be freely shared with any 
> application that requests the file to be localized{*}. Therefore, maybe you 
> need to fix the vulnerability with much the same fix code as the 
> CVE-2017-3166 patch. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to