oss-sec mailing list archives
Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
From: Yongjun Zhang <yzhang () cloudera com>
Date: Tue, 29 Nov 2016 07:15:36 -0800
Hi Zhe, Please refer to https://www.apache.org/security/ for details. Thanks. --Yongjun On Mon, Nov 28, 2016 at 10:26 PM, Zhe Zhang <zhe.zhang.research () gmail com> wrote:
Thanks for the note Yongjun! Does HADOOP-13434 <https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem? On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal () apache org> wrote:Hi, Please see below the official announcement of a critical security vulnerability that's discovered and subsequently fixed in Apache Hadoop releases. Thanks and best regards, --Yongjun ---------- CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Hadoop 2.6.x, 2.7.x Description: A remote user who can authenticate with the HDFS NameNode can possiblyrunarbitrary commands as the hdfs user. Mitigation: 2.7.x users should upgrade to 2.7.3 2.6.x users should upgrade to 2.6.5 Impact: A remote user who can authenticate with the HDFS NameNode can possiblyrunarbitrary commands with the same privileges as HDFS service. Credit: This issue was discovered by Freddie Rice. ------------ Zhe Zhang Apache Hadoop Committer http://zhe-thoughts.github.io/about/ | @oldcap
Current thread:
- CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Yongjun Zhang (Nov 28)
- Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Zhe Zhang (Nov 28)
- Message not available
- Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Yongjun Zhang (Nov 29)