Fixed Common Vulnerabilities and Exposures
This section covers all Common Vulnerabilities and Exposures (CVE) that are addressed in this release.
CVE-2016-4970
Summary: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop)
Severity: Moderate
Vendor: Hortonworks
Versions Affected: HDP 2.x.x since 2.3.x
Users Affected: All users that use HDFS
Impact: Impact is low as Hortonworks does not use OpenSslEngine.java directly in Hadoop codebase
Recommended Action: Upgrade to HDP 2.6.3
CVE-2016-8746
Summary: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2
Users Affected: All users of the ranger policy admin tool
Impact: Fixed policy evaluation logic
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+)
CVE-2016-8751
Summary: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: Hortonworks
Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2
Users Affected: All users of the ranger policy admin tool
Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies
Fix detail:: Added logic to sanitize the user input
Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+) or HDP 2.6+ (with Apache Ranger 0.7.0+)
CVE-2016-8752
Summary: Atlas web server allows user to browse webapp directory
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 or 0.7.1 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Atlas users can access the webapp directory contents by pointing to URIs like /js, /img
Fix detail:: Atlas was updated to prevent browsing of webapp directory contents
Recommended Action: Users should upgrade to Apache Atlas 0.8-incubating or later version
CVE-2017-3150
Summary: Use of insecure cookies
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Atlas uses cookies that could be accessible to client-side scripts
Fix detail:: Atlas was updated to make the cookies unavailable to client-side scripts
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version
CVE-2017-3151
Summary: Persistent XSS vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a Stored Cross-Site Scripting in the edit-tag functionality
Fix detail:: Atlas was updated to sanitize the user input
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version
CVE-2017-3152
Summary: DOM XSS threat
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a DOM XSS in the edit-tag functionality
Fix detail:: Atlas was updated to sanitize the query parameters
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version
CVE-2017-3153
Summary: Reflected XSS vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a Reflected XSS in the search functionality
Fix detail:: Atlas was updated to sanitize the query parameters
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version
CVE-2017-3154
Summary: Stack trace in error response
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Error response from Atlas server included stack trace, exposing excessive information
Fix detail:: Atlas was updated to not include stack trace in error responses
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version
CVE-2017-3155
Summary: XFS - cross frame scripting vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas
Users Affected: All users of Apache Atlas server
Impact: Atlas was found vulnerable to a cross frame scripting
Fix detail:: Atlas was updated to use appropriate headers to prevent this vulnerability
Recommended Action: Users should upgrade to Apache Atlas 0.7.1-incubating or later version
CVE-2017-5646
Summary: Apache Knox Impersonation Issue for WebHDFS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Knox prior to 0.12.0
Users Affected: Users who use WebHDFS through Apache Knox
Impact: An authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue
Fix detail:: Atlas was updated to use appropriate headers to prevent this vulnerability
Recommended Action: Upgrade to 2.6.x
- Mitigation: All users are recommended to upgrade to Apache Knox 0.12.0, where validation, scrubbing and logging of such attempts has been added. The Apache Knox 0.12.0 release can be downloaded from:
- Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip
- Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip
CVE-2017-7676
Summary: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
Severity: Critical
Vendor: Hortonworks
Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0
Users Affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt
Impact: Policy resource matcher ignores characters after ‘*’ wildcard character, which can result in unintended behavior
Fix detail:: Ranger policy resource matcher was updated to correctly handle wildcard matches
Recommended Action: Upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+)
CVE-2017-7677
Summary: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: Hortonworks
Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0
Users Affected: Environments that use external location for hive tables
Impact: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table
Fix detail:: Ranger Hive Authorizer was updated to correctly handle permission check with external location
Recommended Action: Users should upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+)
CVE-2017-9799
Summary: Potential execution of code as the wrong user in Apache Storm
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 2.4.0, HDP-2.5.0, HDP-2.6.0
Users Affected: Users who use Storm in secure mode and are using blobstore to distribute topology based artifacts or using the blobstore to distribute any topology resources
Impact: Under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case, this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security enabled
Mitigation: Upgrade to HDP-2.6.2.1 as there are currently no workarounds