Release Notes
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed in this release.

CVE-2017-3150

Summary: Use of insecure cookies
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas uses cookies that could be accessible to client-side scripts.
Fix detail: Atlas was updated to make the cookies unavailable to client-side scripts.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3151

Summary: Persistent XSS vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a Stored Cross-Site Scripting in the edit-tag functionality
Fix detail: Atlas was updated to sanitize the user input.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3152

Summary: DOM XSS threat
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a DOM XSS in the edit-tag functionality.
Fix detail: Atlas was updated to sanitize the query parameters.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3153

Summary: Reflected XSS vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a Reflected XSS in the search functionality.
Fix detail: Atlas was updated to sanitize the query parameters.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3154

Summary: Stack trace in error response
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Error response from Atlas server included stack trace, exposing excessive information.
Fix detail: Atlas was updated to not include stack trace in error responses.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-3155

Summary: XFS - cross frame scripting vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a cross frame scripting.
Fix detail: Atlas was updated to use appropriate headers to prevent this vulnerability.
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version.

CVE-2017-5646

Summary:Apache Knox Impersonation Issue for WebHDFS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Knox prior to 0.12.0
Users affected: Users who use WebHDFS through Apache Knox.
Impact: An authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue.
Recommended Action: Upgrade to 2.6.x
Mitigation: All users are recommended to upgrade to Apache Knox 0.12.0, where validation, scrubbing and logging of such attempts has been added. The Apache Knox 0.12.0 release can be downloaded from:
Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip
Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip

CVE-2017-7676

Summary: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
Severity: Critical
Vendor: Hortonworks
Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0
Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt
Impact: Policy resource matcher ignores characters after ‘*’ wildcard character, which can result in unintended behavior.
Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.
Recommended Action: Upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+).

CVE-2017-7677

Summary: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: Hortonworks
Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0
Users affected: Environments that use external location for hive tables
Impact: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.
Recommended Action: Users should upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+).

CVE-2017-9799

Summary: Potential execution of code as the wrong user in Apache Storm
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 2.4.0, HDP-2.5.0, HDP-2.6.0
Users affected: Users who use Storm in secure mode and are using blobstore to distribute topology based artifacts or using the blobstore to distribute any topology resources.
Impact: Under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case, this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security enabled.
Mitigation: Upgrade to HDP-2.6.2.1 as there are currently no workarounds.

CVE-2016-4970

Summary: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop)
Severity: Moderate
Vendor: Hortonworks
Versions Affected: HDP 2.x.x since 2.3.x
Users Affected: All users that use HDFS.
Impact: Impact is low as Hortonworks does not use OpenSslEngine.java directly in Hadoop codebase.
Recommended Action: Upgrade to 2.6.3.

CVE-2016-8746

Summary: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2
Users affected: All users of the ranger policy admin tool.
Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags.
Fix detail: Fixed policy evaluation logic
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+)

CVE-2016-8751

Summary: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2
Users affected: All users of the ranger policy admin tool.
Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+)

CVE-2016-8752

Summary: Atlas web server allows user to browse webapp directory
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 or 0.7.1 versions of Apache Atlas
Users affected: All users of Apache Atlas server
Impact: Atlas users can access the webapp directory contents by pointing to URIs like /js, /img
Fix detail: Atlas was updated to prevent browsing of webapp directory contents
Mitigation: Users should upgrade to Apache Atlas 0.8-incubating or later version