[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMqJVeOJ6D5qgreA6ZiN3u30iQx2_1s3h+dns-60voG6H1fxNQ@mail.gmail.com>
Date: Fri, 19 Jan 2018 08:46:40 -0600
From: Jason Lowe <jlowe@...che.org>
To: general@...oop.apache.org, user@...oop.apache.org,
Hadoop Common <common-dev@...oop.apache.org>,
"<security@...oop.apache.org>" <security@...oop.apache.org>, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com, oss-security@...ts.openwall.com
Subject: CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability
CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability
Severity: Severe
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 0.23.0 to 0.23.11
Hadoop 2.0.0-alpha to 2.8.2
Hadoop 3.0.0-alpha to 3.0.0-beta1
Users affected: Users running the MapReduce job history server daemon
Impact: Vulnerability allows a cluster user to expose private files
owned by the user running the MapReduce job history server process.
The malicious user can construct a configuration file containing XML
directives that reference sensitive files on the MapReduce job history
server host.
Mitigation: Users should upgrade to Apache Hadoop 2.7.5, 2.8.3, 2.9.0, or 3.0.0.
Credit: This issue was discovered by Man Yue Mo of lgtm.com
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
