Fixed Common Vulnerabilities and Exposures
This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed in
this release.
| Summary: Use of insecure cookies |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of
Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas uses cookies that could be
accessible to client-side scripts. |
| Fix detail: Atlas was updated to make the
cookies unavailable to client-side scripts. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: Persistent XSS vulnerability |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of
Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a Stored
Cross-Site Scripting in the edit-tag functionality |
| Fix detail: Atlas was updated to sanitize the
user input. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: DOM XSS threat |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of
Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a DOM XSS
in the edit-tag functionality. |
| Fix detail: Atlas was updated to sanitize the
query parameters. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: Reflected XSS vulnerability |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of
Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a
Reflected XSS in the search functionality. |
| Fix detail: Atlas was updated to sanitize the
query parameters. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: Stack trace in error response |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of
Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Error response from Atlas server
included stack trace, exposing excessive information. |
| Fix detail: Atlas was updated to not include
stack trace in error responses. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary: XFS - cross frame scripting
vulnerability |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 versions of
Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas was found vulnerable to a cross
frame scripting. |
| Fix detail: Atlas was updated to use
appropriate headers to prevent this vulnerability. |
| Recommended Action: Users should upgrade to
Apache Atlas 0.7.1-incubating or later version. |
| Summary:Apache Knox Impersonation Issue for
WebHDFS |
| Severity: Important |
| Vendor: The Apache Software Foundation |
| Versions Affected: All versions of Apache Knox
prior to 0.12.0 |
| Users affected: Users who use WebHDFS through
Apache Knox. |
| Impact: An authenticated user may use a
specially crafted URL to impersonate another user while accessing WebHDFS through
Apache Knox. This may result in escalated privileges and unauthorized data access.
While this activity is audit logged and can be easily associated with the
authenticated user, this is still a serious security issue. |
| Recommended Action: Upgrade to 2.6.x |
| Mitigation: All users are recommended to
upgrade to Apache Knox 0.12.0, where validation, scrubbing and logging of such
attempts has been added. The Apache Knox 0.12.0 release can be downloaded from: |
| Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip |
| Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip |
| Summary: Apache Ranger policy evaluation
ignores characters after ‘*’ wildcard character |
| Severity: Critical |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.3/2.4/2.5/2.6 versions
including Apache Ranger versions 0.5.x/0.6.x/0.7.0 |
| Users affected: Environments that use Ranger
policies with characters after ‘*’ wildcard character – like my*test,
test*.txt |
| Impact: Policy resource matcher ignores
characters after ‘*’ wildcard character, which can result in unintended behavior. |
| Fix detail: Ranger policy resource matcher was
updated to correctly handle wildcard matches. |
| Recommended Action: Upgrade to HDP 2.6.1+ (with
Apache Ranger 0.7.1+). |
| Summary: Apache Ranger Hive Authorizer should
check for RWX permission when external location is specified |
| Severity: Critical |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.3/2.4/2.5/2.6 versions
including Apache Ranger versions 0.5.x/0.6.x/0.7.0 |
| Users affected: Environments that use external
location for hive tables |
| Impact: In environments that use external
location for hive tables, Apache Ranger Hive Authorizer should check for RWX
permission for the external location specified for create table. |
| Fix detail: Ranger Hive Authorizer was updated
to correctly handle permission check with external location. |
| Recommended Action: Users should upgrade to HDP
2.6.1+ (with Apache Ranger 0.7.1+). |
| Summary: Potential execution of code as the
wrong user in Apache Storm |
| Severity: Important |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.4.0, HDP-2.5.0,
HDP-2.6.0 |
| Users affected: Users who use Storm in secure
mode and are using blobstore to distribute topology based artifacts or using the
blobstore to distribute any topology resources. |
| Impact: Under some situations and
configurations of storm it is theoretically possible for the owner of a topology to
trick the supervisor to launch a worker as a different, non-root, user. In the worst
case, this could lead to secure credentials of the other user being compromised.
This vulnerability only applies to Apache Storm installations with security
enabled. |
| Mitigation: Upgrade to HDP-2.6.2.1 as there are
currently no workarounds. |
| Summary: handler/ssl/OpenSslEngine.java in
Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers
to cause a denial of service (infinite loop) |
| Severity: Moderate |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.x.x since
2.3.x |
| Users Affected: All users that use
HDFS. |
| Impact: Impact is low as Hortonworks does not
use OpenSslEngine.java directly in Hadoop codebase. |
| Recommended Action: Upgrade to 2.6.3. |
| Summary: Apache Ranger path matching issue in
policy evaluation |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.5 versions
including Apache Ranger versions 0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy
admin tool. |
| Impact: Ranger policy engine incorrectly
matches paths in certain conditions when a policy contains wildcards and recursive
flags. |
| Fix detail: Fixed policy evaluation logic |
| Recommended Action: Users should upgrade to HDP
2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+) |
| Summary: Apache Ranger stored cross site
scripting issue |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.3/2.4/2.5 versions
including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy
admin tool. |
| Impact: Apache Ranger is vulnerable to a Stored
Cross-Site Scripting when entering custom policy conditions. Admin users can store
some arbitrary javascript code execute when normal users login and access policies. |
| Fix detail: Added logic to sanitize the user
input. |
| Recommended Action: Users should upgrade to HDP
2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+) |
| Summary: Atlas web server allows user to browse
webapp directory |
| Severity: Normal |
| Vendor: The Apache Software Foundation |
| Versions Affected: 0.6.0 or 0.7.0 or 0.7.1
versions of Apache Atlas |
| Users affected: All users of Apache Atlas
server |
| Impact: Atlas users can access the webapp
directory contents by pointing to URIs like /js, /img |
| Fix detail: Atlas was updated to prevent
browsing of webapp directory contents |
| Mitigation: Users should upgrade to Apache
Atlas 0.8-incubating or later version |
