SB2018070222 - Fedora 28 update for hadoop
Published: July 2, 2018 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cleartext transmission of sensitive information (CVE-ID: CVE-2017-3166)
The vulnerability allows a local authenticated user to execute arbitrary code.
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
2) Information disclosure (CVE-ID: CVE-2017-15713)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
3) Input validation error (CVE-ID: CVE-2017-15718)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.
4) Command injection (CVE-ID: CVE-2016-6811)
The vulnerability allows a remote authenticated attacker to execute arbitrary commands with elevated privileges on the target system.The weakness exists due to improper security restrictions. A remote attacker who can obtain yarn user access can inject and execute arbitrary commands with root privileges.
Remediation
Install update from vendor's website.