Security Vulnerability - Action Required: “Incorrect Permission Assignment for Critical Resource” vulnerability in org.apache.zeppelin:zeppelin-spark-dependencies-2.10 before 2.7.3

Thu, 21 Sep 2023 05:57:27 -0700 

Hi there,
     I think the method
`org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem
fs, Path path, FsAction action, Map<URI, FileStatus> statCache)` may have
an “Incorrect Permission Assignment for Critical Resource”vulnerability
which is vulnerable in org.apache.zeppelin:zeppelin-spark-dependencies-2.10
before 2.7.3. It shares similarities to a recent CVE disclosure
*CVE-2017-3166* in the same project *"apache/hadoop"* project.
     The source vulnerability information is as follows:[image:
image.gif][image:
image.gif]
>
> *Vulnerability Detail:*
>
> *CVE Identifier:* CVE-2017-3166
>
> *Description*: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3,
> and 3.0.0-alpha1, if a file in an encryption zone with access permissions
> that make it world readable is localized via YARN's localization mechanism,
> that file will be stored in a world-readable location and can be shared
> freely with any application that requests to localize that file.
>
> *Reference:*  <http://goog_608275719/>
> https://nvd.nist.gov/vuln/detail/CVE-2017-3166
>
> *Patch*:
> https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29
>

*Vulnerability Description:* The vulnerability is present in the class
org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager  of
method  checkPermissionOfOther(FileSystem fs, Path path, FsAction action,
Map<URI, FileStatus> statCache)  , which is responsible for checking the
permissions of other files in the distributed cache.. *But t**he check
snippet is similar to the vulnerable snippet for CVE-2017-3166* and may
have the same consequence as CVE-2017-3166: *a file in an encryption zone
with access permissions  will be stored in a world-readable location and
can be freely shared with any application that requests the file to be
localized*. Therefore, maybe you need to fix the vulnerability with much
the same fix code as the CVE-2017-3166 patch.
    Considering the potential risks it may have, I am willing to cooperate
with you to verify, address, and report the identified vulnerability
promptly through responsible means. If you require any further information
or assistance, please do not hesitate to reach out to me. Thank you and
look forward to hearing from you soon.

Best regards,
Yiheng Cao

Reply via email to