[SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure

[Arpit Agarwal <aagarwal () hortonworks com>]

CVE-2016-5001: Apache Hadoop Information Disclosure

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier.

Description:
This is an information disclosure vulnerability in the short-circuit reads feature of HDFS. A local user on an HDFS 
DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain 
fields in the token.

Mitigation:
Users on 2.7.x should upgrade to 2.7.2 or later.
Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later.

Impact:
A local user may be able to gain unauthorized read access to files.

Credit:
This issue was reported by Kihwal Lee of Yahoo Inc.