FYI
---------- Forwarded message ---------- From: Arpit Agarwal <[email protected]> Date: Fri, Dec 16, 2016 at 1:31 PM Subject: [SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure To: "[email protected]" <[email protected]> Cc: "[email protected]" <[email protected]> Hello, The following security vulnerability was found and fixed in Apache Hadoop. [also announced on [email protected], [email protected]] ------- CVE-2016-5001: Apache Hadoop Information Disclosure Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier. Description: This is an information disclosure vulnerability in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token. Mitigation: Users on 2.7.x should upgrade to 2.7.2 or later. Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later. Impact: A local user may be able to gain unauthorized read access to files. Credit: This issue was reported by Kihwal Lee of Yahoo Inc. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
