[jira] [Closed] (STORM-4002) Security Vulnerability - Action Required: “Incorrect Permission Assignment for Critical Resource” vulnerability in some components of org.apache.storm

Tue, 02 Jul 2024 02:39:04 -0700 


     [ 
https://issues.apache.org/jira/browse/STORM-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla closed STORM-4002.
----------------------------------
    Resolution: Won't Fix

Storm 1.x isn't maintained anymore.

> Security Vulnerability - Action Required: “Incorrect Permission Assignment 
> for Critical Resource” vulnerability in some components of  org.apache.storm
> -------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: STORM-4002
>                 URL: https://issues.apache.org/jira/browse/STORM-4002
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-kafka, storm-starter
>    Affects Versions: 1.1.0, 1.1.1, 1.2.0, 1.1.2, 1.2.1, 1.1.3, 1.2.2
>            Reporter: Yiheng Cao
>            Priority: Major
>
>  I think the method 
> org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem
>  fs, Path path, FsAction action, Map<URI, FileStatus> statCache) may have an 
> “Incorrect Permission Assignment for Critical Resource”vulnerability which is 
> vulnerable in in some components of  org.apache.storm. It shares similarities 
> to a recent CVE disclosure _CVE-2017-3166_ in the project _"apache/hadoop"_ 
> project. The influencing components are listed below:
>  # org.apache.storm:storm-kafka-examples in the versions between 1.1.0 and 
> 1.2.4.
>  # org.apache.storm:storm-starter in the versions of 1.1.2-1.1.3 and 
> 1.2.0-1.2.2
> The source vulnerability information is as follows: 
> !https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ_bBS_0CMiL9kNUgnr95IJelNJAQJp906nnAonpFswrxMbSt1EVV1S2q6kq_ur-YE-1H49gOCjMGqFYtm5xBOS_EBOZci8ukIw2Hn8kM-9OIKVIxXrlhcRm6LA&disp=emb&realattid=ii_lmt56kbv0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.2&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-8wPNUdQ35WBKaadck2X1lP34blTQ_qiyhu5T7l0G8T4cboSCiFNgfxaCQZZsK-Pm3ebzj4JSWBs558OxWHJPM1uJqKlMvPMhpx9J0TiojhC85DNqeLu3dr2Q&disp=emb&realattid=ii_lmt6415i0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ9XERxykP1zaB9Codaz3lisQ9gKwLHXnEIHP4p4oUcINmdFEWTJAWeDMfayncBsWIBj_kc2cAKHx4c7InMtKL98nDb2Dnt3TpfGLQCcJhdFsSBhemVA14CI0rA&disp=emb&realattid=ii_loxzzieb0|width=1,height=1!
> *Vulnerability Detail:*
> *CVE Identifier:* CVE-2017-3166
> {*}Description{*}: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, 
> and 3.0.0-alpha1, if a file in an encryption zone with access permissions 
> that make it world readable is localized via YARN's localization mechanism, 
> that file will be stored in a world-readable location and can be shared 
> freely with any application that requests to localize that file.
> *Reference:*[ |http://goog_608275719/] 
> [https://nvd.nist.gov/vuln/detail/CVE-2017-3166]
> {*}Patch{*}: 
> [https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29]
> *Vulnerability Description:* The vulnerability is present in the class  
> org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager  of 
> method  checkPermissionOfOther(FileSystem fs, Path path, FsAction action, 
> Map<URI, FileStatus> statCache)  , which is responsible for checking the 
> permissions of other files in the distributed cache.. {*}But t{*}{*}he check 
> snippet is similar to the vulnerable snippet for CVE-2017-3166{*} and may 
> have the same consequence as CVE-2017-3166: {*}a file in an encryption zone 
> with access permissions  will be stored in a world-readable location and can 
> be freely shared with any application that requests the file to be 
> localized{*}. Therefore, maybe you need to fix the vulnerability with much 
> the same fix code as the CVE-2017-3166 patch. 
>     Considering the potential risks it may have, I am willing to cooperate 
> with you to verify, address, and report the identified vulnerability promptly 
> through responsible means. If you require any further information or 
> assistance, please do not hesitate to reach out to me. Thank you and look 
> forward to hearing from you soon.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to