Arpit Agarwal
2016-12-16 21:31:58 UTC
Hello,
The following security vulnerability was found and fixed in Apache Hadoop.
[also announced on ***@securityfocus.com, oss-***@lists.openwall.com]
-------
CVE-2016-5001: Apache Hadoop Information Disclosure
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier.
Description:
This is an information disclosure vulnerability in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
Mitigation:
Users on 2.7.x should upgrade to 2.7.2 or later.
Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later.
Impact:
A local user may be able to gain unauthorized read access to files.
Credit:
This issue was reported by Kihwal Lee of Yahoo Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-***@hadoop.apache.org
For additional commands, e-mail: general-***@hadoop.apache.org
The following security vulnerability was found and fixed in Apache Hadoop.
[also announced on ***@securityfocus.com, oss-***@lists.openwall.com]
-------
CVE-2016-5001: Apache Hadoop Information Disclosure
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier.
Description:
This is an information disclosure vulnerability in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
Mitigation:
Users on 2.7.x should upgrade to 2.7.2 or later.
Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later.
Impact:
A local user may be able to gain unauthorized read access to files.
Credit:
This issue was reported by Kihwal Lee of Yahoo Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-***@hadoop.apache.org
For additional commands, e-mail: general-***@hadoop.apache.org