Akira Ajisaka
2017-01-10 01:43:00 UTC
Hello,
The following security vulnerability was found and fixed in Apache Hadoop.
[also announced on ***@securityfocus.com,
oss-***@lists.openwall.com]
-------
CVE-2016-3086: Apache Hadoop YARN NodeManager vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4
Hadoop 2.7.0, 2.7.1, 2.7.2
Description:
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x
before 2.7.3 can leak the password for credential store provider used by
the NodeManager to YARN Applications.
If you use the CredentialProvider feature to encrypt passwords used in
NodeManager configs, it may be possible for any Container launched by
that NodeManager to gain access to the encryption password. The other
passwords themselves are not directly exposed.
Mitigation:
2.7.x users should upgrade to 2.7.3.
2.6.x users should upgrade to 2.6.5
If you cannot upgrade to the latest version, set the permission of the
jceks file appropriately to restrict access from unauthorized users.
Credit:
This issue was discovered by Robert Kanter.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-***@hadoop.apache.org
For additional commands, e-mail: general-***@hadoop.apache.org
The following security vulnerability was found and fixed in Apache Hadoop.
[also announced on ***@securityfocus.com,
oss-***@lists.openwall.com]
-------
CVE-2016-3086: Apache Hadoop YARN NodeManager vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4
Hadoop 2.7.0, 2.7.1, 2.7.2
Description:
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x
before 2.7.3 can leak the password for credential store provider used by
the NodeManager to YARN Applications.
If you use the CredentialProvider feature to encrypt passwords used in
NodeManager configs, it may be possible for any Container launched by
that NodeManager to gain access to the encryption password. The other
passwords themselves are not directly exposed.
Mitigation:
2.7.x users should upgrade to 2.7.3.
2.6.x users should upgrade to 2.6.5
If you cannot upgrade to the latest version, set the permission of the
jceks file appropriately to restrict access from unauthorized users.
Credit:
This issue was discovered by Robert Kanter.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-***@hadoop.apache.org
For additional commands, e-mail: general-***@hadoop.apache.org