Yiheng Cao created HBASE-28202:
----------------------------------
Summary: Security Vulnerability - Action Required: “Incorrect
Permission Assignment for Critical Resource” vulnerability in
org.apache.hbase:hbase-shaded-client
Key: HBASE-28202
URL: https://issues.apache.org/jira/browse/HBASE-28202
Project: HBase
Issue Type: Bug
Components: hbase-connectors, hbase-operator-tools
Affects Versions: 1.3.2, 1.1.9, 1.1.8, 1.1.7, 1.1.6, 1.1.5, 1.1.4, 1.1.3,
1.1.2
Reporter: Yiheng Cao
I think the method
org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem
fs, Path path, FsAction action, Map<URI, FileStatus> statCache) may have an
“Incorrect Permission Assignment for Critical Resource”vulnerability which is
vulnerable in org.apache.hbase:hbase-shaded-client in the versions of
1.1.2~1.1.9;1.3.2. It shares similarities to a recent CVE disclosure
_CVE-2017-3166_ in the project _"apache/hadoop"_ project.
The source vulnerability information is as follows:
!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ_bBS_0CMiL9kNUgnr95IJelNJAQJp906nnAonpFswrxMbSt1EVV1S2q6kq_ur-YE-1H49gOCjMGqFYtm5xBOS_EBOZci8ukIw2Hn8kM-9OIKVIxXrlhcRm6LA&disp=emb&realattid=ii_lmt56kbv0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.2&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-8wPNUdQ35WBKaadck2X1lP34blTQ_qiyhu5T7l0G8T4cboSCiFNgfxaCQZZsK-Pm3ebzj4JSWBs558OxWHJPM1uJqKlMvPMhpx9J0TiojhC85DNqeLu3dr2Q&disp=emb&realattid=ii_lmt6415i0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ9XERxykP1zaB9Codaz3lisQ9gKwLHXnEIHP4p4oUcINmdFEWTJAWeDMfayncBsWIBj_kc2cAKHx4c7InMtKL98nDb2Dnt3TpfGLQCcJhdFsSBhemVA14CI0rA&disp=emb&realattid=ii_loxzzieb0|width=1,height=1!
*Vulnerability Detail:*
*CVE Identifier:* CVE-2017-3166
{*}Description{*}: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3,
and 3.0.0-alpha1, if a file in an encryption zone with access permissions that
make it world readable is localized via YARN's localization mechanism, that
file will be stored in a world-readable location and can be shared freely with
any application that requests to localize that file.
*Reference:*[ |http://goog_608275719/]
[https://nvd.nist.gov/vuln/detail/CVE-2017-3166]
{*}Patch{*}:
[https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29]
*Vulnerability Description:* The vulnerability is present in the class
org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager of method
checkPermissionOfOther(FileSystem fs, Path path, FsAction action, Map<URI,
FileStatus> statCache) , which is responsible for checking the permissions of
other files in the distributed cache.. {*}But t{*}{*}he check snippet is
similar to the vulnerable snippet for CVE-2017-3166{*} and may have the same
consequence as CVE-2017-3166: {*}a file in an encryption zone with access
permissions will be stored in a world-readable location and can be freely
shared with any application that requests the file to be localized{*}.
Therefore, maybe you need to fix the vulnerability with much the same fix code
as the CVE-2017-3166 patch.
Considering the potential risks it may have, I am willing to cooperate with
you to verify, address, and report the identified vulnerability promptly
through responsible means. If you require any further information or
assistance, please do not hesitate to reach out to me. Thank you and look
forward to hearing from you soon.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
