Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CABBupGWtC2vN-JzXWeuDaN-_bP6yzRJhK+DAfr=gSGLZJGbFCQ@mail.gmail.com>
Date: Thu, 15 Feb 2018 14:09:50 -0800
From: Rohini Palaniswamy <rohini@...che.org>
To: dev@...ie.apache.org, user@...ie.apache.org, announce@...che.org, 
	security@...che.org, oss-security@...ts.openwall.com
Subject: [CVE-2017-15712] Apache Oozie Server vulnerability

Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs.

Severity: Severe

Vendor:
The Apache Software Foundation

Versions Affected:
Oozie 3.1.3-incubating to Oozie 4.3.0
Oozie 5.0.0-beta1

Description:
Vulnerability allows a user of Oozie to expose private files on the Oozie
server process.  The malicious user can construct a workflow XML file
containing XML directives and configuration that reference sensitive files
on the Oozie server host.

Mitigation:
Users should upgrade to Apache Oozie 4.3.1 release from
http://oozie.apache.org/ .
Users should use 5.0.0-beta1 release only for testing purposes and wait for
the 5.0.0 GA which will have the fix.

Credit:
The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly
Yahoo! Inc).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.