Discussion:
CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
Yongjun Zhang
2016-11-29 00:04:45 UTC
Permalink
Hi,

Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.

Thanks and best regards,

--Yongjun

----------

CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability

Severity: Critical



Vendor:

The Apache Software Foundation



Versions Affected:

Hadoop 2.6.x, 2.7.x



Description:

A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands as the hdfs user.



Mitigation:

2.7.x users should upgrade to 2.7.3

2.6.x users should upgrade to 2.6.5



Impact:

A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands with the same privileges as HDFS service.



Credit:

This issue was discovered by Freddie Rice.

----------
Zhe Zhang
2016-11-29 04:07:25 UTC
Permalink
Thanks for the note Yongjun! Does HADOOP-13434
<https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?
Post by Yongjun Zhang
Hi,
Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.
Thanks and best regards,
--Yongjun
----------
CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
Severity: Critical
The Apache Software Foundation
Hadoop 2.6.x, 2.7.x
A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands as the hdfs user.
2.7.x users should upgrade to 2.7.3
2.6.x users should upgrade to 2.6.5
A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands with the same privileges as HDFS service.
This issue was discovered by Freddie Rice.
----------
Zhe Zhang
2016-11-29 06:26:25 UTC
Permalink
Thanks for the note Yongjun! Does HADOOP-13434
<https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?
Post by Yongjun Zhang
Hi,
Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.
Thanks and best regards,
--Yongjun
----------
CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
Severity: Critical
The Apache Software Foundation
Hadoop 2.6.x, 2.7.x
A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands as the hdfs user.
2.7.x users should upgrade to 2.7.3
2.6.x users should upgrade to 2.6.5
A remote user who can authenticate with the HDFS NameNode can possibly run
arbitrary commands with the same privileges as HDFS service.
This issue was discovered by Freddie Rice.
----------
--
Zhe Zhang
Apache Hadoop Committer
http://zhe-thoughts.github.io/about/ | @oldcap
Yongjun Zhang
2016-11-29 15:15:36 UTC
Permalink
Hi Zhe,

Please refer to https://www.apache.org/security/ for details.

Thanks.

--Yongjun
Post by Zhe Zhang
Thanks for the note Yongjun! Does HADOOP-13434
<https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem?
Post by Yongjun Zhang
Hi,
Please see below the official announcement of a critical security
vulnerability that's discovered and subsequently fixed in Apache Hadoop
releases.
Thanks and best regards,
--Yongjun
----------
CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability
Severity: Critical
The Apache Software Foundation
Hadoop 2.6.x, 2.7.x
A remote user who can authenticate with the HDFS NameNode can possibly
run
Post by Yongjun Zhang
arbitrary commands as the hdfs user.
2.7.x users should upgrade to 2.7.3
2.6.x users should upgrade to 2.6.5
A remote user who can authenticate with the HDFS NameNode can possibly
run
Post by Yongjun Zhang
arbitrary commands with the same privileges as HDFS service.
This issue was discovered by Freddie Rice.
----------
--
Zhe Zhang
Apache Hadoop Committer
Loading...