Fixed Common Vulnerabilities and Exposures
This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed
in this release.
| Summary: Use of insecure cookies |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions
of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas uses cookies that could be
accessible to client-side scripts. |
| Fix detail: Atlas was updated to make the
cookies unavailable to client-side scripts. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: Persistent XSS
vulnerability |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions
of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a
Stored Cross-Site Scripting in the edit-tag functionality |
| Fix detail: Atlas was updated to sanitize
the user input. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: DOM XSS threat |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions
of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a DOM
XSS in the edit-tag functionality. |
| Fix detail: Atlas was updated to sanitize
the query parameters. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: Reflected XSS
vulnerability |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions
of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a
Reflected XSS in the search functionality. |
| Fix detail: Atlas was updated to sanitize
the query parameters. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: Stack trace in error
response |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions
of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Error response from Atlas server
included stack trace, exposing excessive information. |
| Fix detail: Atlas was updated to not
include stack trace in error responses. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: XFS - cross frame scripting
vulnerability |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions
of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a
cross frame scripting. |
| Fix detail: Atlas was updated to use
appropriate headers to prevent this vulnerability. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary:Apache Knox Impersonation Issue for
WebHDFS |
| Severity: Important |
| Vendor: The Apache Software
Foundation |
| Versions Affected: All versions of Apache
Knox prior to 0.12.0 |
| Users affected: Users who use WebHDFS
through Apache Knox. |
| Impact: An authenticated user may use a
specially crafted URL to impersonate another user while accessing WebHDFS
through Apache Knox. This may result in escalated privileges and unauthorized
data access. While this activity is audit logged and can be easily associated
with the authenticated user, this is still a serious security issue. |
| Recommended Action: Upgrade to
2.6.x |
| Mitigation: All users are recommended to
upgrade to Apache Knox 0.12.0, where validation, scrubbing and logging of such
attempts has been added. The Apache Knox 0.12.0 release can be downloaded from: |
| Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip |
| Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip |
| Summary: Apache Ranger policy evaluation
ignores characters after ‘*’ wildcard character |
| Severity: Critical |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.3/2.4/2.5/2.6
versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0 |
| Users affected: Environments that use
Ranger policies with characters after ‘*’ wildcard character – like my*test,
test*.txt |
| Impact: Policy resource matcher ignores
characters after ‘*’ wildcard character, which can result in unintended
behavior. |
| Fix detail: Ranger policy resource matcher
was updated to correctly handle wildcard matches. |
| Recommended Action: Upgrade to HDP 2.6.1+
(with Apache Ranger 0.7.1+). |
| Summary: Apache Ranger Hive Authorizer
should check for RWX permission when external location is specified |
| Severity: Critical |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.3/2.4/2.5/2.6
versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0 |
| Users affected: Environments that use
external location for hive tables |
| Impact: In environments that use external
location for hive tables, Apache Ranger Hive Authorizer should check for RWX
permission for the external location specified for create table. |
| Fix detail: Ranger Hive Authorizer was
updated to correctly handle permission check with external location. |
| Recommended Action: Users should upgrade to
HDP 2.6.1+ (with Apache Ranger 0.7.1+). |
| Summary: Apache Ranger path matching issue
in policy evaluation |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.5 versions
including Apache Ranger versions 0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger
policy admin tool. |
| Impact: Ranger policy engine incorrectly
matches paths in certain conditions when a policy contains wildcards and
recursive flags. |
| Fix detail: Fixed policy evaluation logic |
| Recommended Action: Users should upgrade to
HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger
0.7.0+) |
| Summary: Apache Ranger stored cross site
scripting issue |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.3/2.4/2.5
versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger
policy admin tool. |
| Impact: Apache Ranger is vulnerable to a
Stored Cross-Site Scripting when entering custom policy conditions. Admin users
can store some arbitrary javascript code execute when normal users login and
access policies. |
| Fix detail: Added logic to sanitize the
user input. |
| Recommended Action: Users should upgrade to
HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger
0.7.0+) |
| Summary: Atlas web server allows user to
browse webapp directory |
| Severity: Normal |
| Vendor: The Apache Software
Foundation |
| Versions Affected: 0.6.0 or 0.7.0 or 0.7.1
versions of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas users can access the webapp
directory contents by pointing to URIs like /js, /img |
| Fix detail: Atlas was updated to prevent
browsing of webapp directory contents |
| Mitigation: Users should upgrade to Apache
Atlas 0.8-incubating or later version |
