Hortonworks Data Platform for HDInsight
Also available as:
PDF

Fixed Common Vulnerabilities and Exposures

This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed in this release.

CVE-2016-4970

Summary: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop)

Severity: Moderate

Vendor: Hortonworks

Versions Affected: HDP 2.x.x since 2.3.x

Users Affected: All users that use HDFS

Impact: Impact is low as Hortonworks does not use OpenSslEngine.java directly in Hadoop codebase

Recommended Action: Upgrade to HDP 2.6.3

CVE-2016-8746

Summary: Apache Ranger path matching issue in policy evaluation

Severity: Normal

Vendor: Hortonworks

Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2

Users Affected: All users of the ranger policy admin tool

Impact: Fixed policy evaluation logic

Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+)

CVE-2016-8751

Summary: Apache Ranger stored cross site scripting issue

Severity: Normal

Vendor: Hortonworks

Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2

Users Affected: All users of the ranger policy admin tool

Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies

Fix detail:: Added logic to sanitize the user input

Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+)

CVE-2016-8752

Summary: Atlas web server allows user to browse webapp directory

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 or 0.7.1 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Atlas users can access the webapp directory contents by pointing to URIs like /js, /img

Fix detail:: Atlas was updated to prevent browsing of webapp directory contents

Recommended Action: Users should upgrade to Apache Atlas 0.8-incubating or later version

CVE-2017-3150

Summary: Use of insecure cookies

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Atlas uses cookies that could be accessible to client-side scripts

Fix detail:: Atlas was updated to make the cookies unavailable to client-side scripts

Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

CVE-2017-3151

Summary: Persistent XSS vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Atlas was found vulnerable to a Stored Cross-Site Scripting in the edit-tag functionality

Fix detail:: Atlas was updated to sanitize the user input

Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

CVE-2017-3152

Summary: DOM XSS threat

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Atlas was found vulnerable to a DOM XSS in the edit-tag functionality

Fix detail:: Atlas was updated to sanitize the query parameters

Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

CVE-2017-3153

Summary: Reflected XSS vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Atlas was found vulnerable to a Reflected XSS in the search functionality

Fix detail:: Atlas was updated to sanitize the query parameters

Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

CVE-2017-3154

Summary: Stack trace in error response

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Error response from Atlas server included stack trace, exposing excessive information

Fix detail:: Atlas was updated to not include stack trace in error responses

Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

CVE-2017-3155

Summary: XFS - cross frame scripting vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users Affected: All users of Apache Atlas server

Impact: Atlas was found vulnerable to a cross frame scripting

Fix detail:: Atlas was updated to use appropriate headers to prevent this vulnerability

Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

CVE-2017-5646

Summary: Apache Knox Impersonation Issue for WebHDFS

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Knox prior to 0.12.0

Users Affected: Users who use WebHDFS through Apache Knox

Impact: An authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue

Fix detail:: Atlas was updated to use appropriate headers to prevent this vulnerability

Recommended Action: Upgrade to 2.6.x

CVE-2017-7676

Summary: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character

Severity: Critical

Vendor: Hortonworks

Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0

Users Affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt

Impact: Policy resource matcher ignores characters after ‘*’ wildcard character, which can result in unintended behavior

Fix detail:: Ranger policy resource matcher was updated to correctly handle wildcard matches

Recommended Action: Upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+)

CVE-2017-7677

Summary: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified

Severity: Critical

Vendor: Hortonworks

Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0

Users Affected: Environments that use external location for hive tables

Impact: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table

Fix detail:: Ranger Hive Authorizer was updated to correctly handle permission check with external location

Recommended Action: Users should upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+)

CVE-2017-9799

Summary: Potential execution of code as the wrong user in Apache Storm

Severity: Important

Vendor: Hortonworks

Versions Affected: HDP 2.4.0, HDP-2.5.0, HDP-2.6.0

Users Affected: Users who use Storm in secure mode and are using blobstore to distribute topology based artifacts or using the blobstore to distribute any topology resources

Impact: Under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case, this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security enabled

Mitigation: Upgrade to HDP-2.6.2.1 as there are currently no workarounds