oss-sec mailing list archives

Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

From: Yongjun Zhang <yzhang () cloudera com>
Date: Tue, 29 Nov 2016 07:15:36 -0800

Hi Zhe,

Please refer to  https://www.apache.org/security/ for details.

Thanks.

--Yongjun

On Mon, Nov 28, 2016 at 10:26 PM, Zhe Zhang <zhe.zhang.research () gmail com>
wrote:

Thanks for the note Yongjun! Does HADOOP-13434
<https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?

On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal () apache org>
wrote:

Hi,

Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.

Thanks and best regards,

--Yongjun

----------

CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Severity: Critical



Vendor:

The Apache Software Foundation



Versions Affected:

Hadoop 2.6.x, 2.7.x



Description:

A remote user who can authenticate with the HDFS NameNode can possibly

run

arbitrary commands as the hdfs user.



Mitigation:

2.7.x users should upgrade to 2.7.3

2.6.x users should upgrade to 2.6.5



Impact:

A remote user who can authenticate with the HDFS NameNode can possibly

run

arbitrary commands with the same privileges as HDFS service.



Credit:

This issue was discovered by Freddie Rice.

----------

--
Zhe Zhang
Apache Hadoop Committer
http://zhe-thoughts.github.io/about/ | @oldcap

Current thread:

CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Yongjun Zhang (Nov 28)
- Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Zhe Zhang (Nov 28)
- Message not available
  - Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Yongjun Zhang (Nov 29)