Release Notes
Also available as:
PDF

Common Vulnerabilities and Exposures

CVE-2015-7521

Summary: Apache Hive authorization bug disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: HDP versions 2.1.x, 2.2.x and 2.3.x versions before HDP 2.3.6
Impact: Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the authorization framework, which defines authorization entities only from the table level upwards. This issue is known to affect Hive clusters protected by both Ranger as well as SqlStdHiveAuthorization.
Migration: For Hive 0.13.x, 0.14.x, 1.0, 1.1 and 1.2, a separate jar is being made available, which users can put in their ${HIVE_HOME}/lib/, and this provides a hook for administrators to add to their hive-site.xml, by setting hive.semantic.analyzer.hook=org.apache.hadoop.hive.ql.parse.ParentTableAuthorizationHook . This parameter is a comma-separated-list and this hook can be appended to an existing list if one already exists in the setup. You will then want to make sure that you protect the hive.semantic.analyzer.hook parameter from being changed at runtime by adding it to hive.conf.restricted.list. This jar and associated source tarball are available for download over at : https://hive.apache.org/downloads.html along with their gpg-signed .asc signatures, as well as the md5sums for verification in the hive-parent-auth-hook/ directory. This issue has already been patched in all Hive branches that are affected, and any future release will not need these mitigation steps.
Hortonworks Bug ID: BUG-50827

CVE-2017-3152

Summary: DOM XSS threat
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a DOM XSS in the edit-tag functionality.
Fix detail: Atlas was updated to sanitize the query parameters.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3153

Summary: Reflected XSS vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a Reflected XSS in the search functionality.
Fix detail: Atlas was updated to sanitize the query parameters.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3154

Summary: Stack trace in error response
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Error response from Atlas server included stack trace, exposing excessive information.
Fix detail: Atlas was updated to not include stack trace in error responses.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3155

Summary: XFS - cross frame scripting vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a cross frame scripting.
Fix detail: Atlas was updated to use appropriate headers to prevent this vulnerability.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2016-8746

Summary: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2
Users affected: All users of the ranger policy admin tool.
Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags.
Fix detail: Fixed policy evaluation logic
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+).

CVE-2016-8751

Summary: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2
Users affected: All users of the ranger policy admin tool.
Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+).

CVE-2016-8746

Summary: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2
Users affected: All users of the ranger policy admin tool.
Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags.
Fix detail: Fixed policy evaluation logic
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+).

CVE-2016-8751

Summary: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2
Users affected: All users of the ranger policy admin tool.
Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+).