Fixed Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures (CVE) that are addressed in this release and the previous HDP for HDInsight releases.
CVE-2016-5017
Component: ZooKeeper
Summary: Buffer overflow in the C CLI shell in Apache Zookeeper.
Severity: Low
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.3
Users Affected: Users who use Apache ZooKeeper with C client.
Impact: See BUG-120252 and ZOOKEEPER-2498. Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
Recommended Action: Upgrade to HDP 3.1.3+
CVE-2017-5637
Component: ZooKeeper
Summary: Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused.
Severity: Low
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.3
Users Affected: Users who use Apache ZooKeeper in public infrastructure.
Impact: See BUG-120252 and ZOOKEEPER-2693. Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused.
Recommended Action: Upgrade to HDP 3.1.3+
CVE-2018-8012
Component: ZooKeeper
Summary: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.3
Users Affected: Users who use Apache ZooKeeper.
Impact: See BUG-120252 and ZOOKEEPER-1045, ZOOKEEPER-2726. No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper.
Recommended Action: Upgrade to HDP 3.1.3+
CVE-2019-0201
Component: ZooKeeper
Summary: ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP versions before 3.1.3
Users Affected: Users who use Apache ZooKeeper.
Impact: See BUG-120252 and ZOOKEEPER-1392. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string.
Recommended Action: Upgrade to HDP 3.1.3+
CVE-2018-1331
Component: Storm
Summary: An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Severity: Moderate
Vendor: Hortonworks
Versions Affected: HDP 3.0.0, HDP 3.0.1, HDP 2.6.x and HDF 3.2 or earlier
Users Affected: Users with Storm deployed in a secure cluster.
Impact: See STORM-3026. An attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.
Recommended Action: Upgrade to HDP 3.1 or HDF 3.3. After upgrading, the following configs needs to be set to enforce these ACL checks.storm.nimbus.zookeeper.acls.check: truestorm.nimbus.zookeeper.acls.fixup: true.
CVE-2018-1332
Component: Storm
Summary: In a secure Storm cluster an attacker could impersonate another user when communicating with some Storm Daemons.
Severity: Moderate
Vendor: Hortonworks
Versions Affected: HDP 3.0.0, HDP 2.6.x, HDF 3.2 and earlier
Users Affected: Users with Storm deployed in a secure cluster.
Impact: See STORM-3027. The affected Storm versions expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
Recommended Action: Upgrade to HDP 3.1.0 or HDF 3.3.
CVE-2018-11777
Component: Hive/Hive2
Summary: Local resources on HiveServer2 machines are not properly protected against malicious user if Ranger or SQL Standard Authorizer is not in use.
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1
Users Affected: This affects only configurations of HDP where Ranger or SQL Standard Authorization is not enabled.
Impact: Local resource on HiveServer2 machine will be read/written by arbitrary Hive user if Ranger or SQL Standard Authorization is not in use.
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback. FallbackHiveAuthorizerFactory</value>
</property>CVE-2018-1314
Component: Hive/Hive2
Summary: Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.
Severity: Important
Vendor: Hortonworks
Versions Affected: HDP 1.0.0 to HDP 2.6.5, HDP 3.0.0, and HDP 3.0.1
Impact: Hive metadata and statistics is not secure against unauthorized Hive user.
- 3.0.1.3 (If current version is HDP 3.0.x)
- 2.6.5.54 (If current version is HDP HDP-2.6.5.0)
- 2.6.5.1003 (If current version is HDP 2.6.5.100* versions released for Data Lifecycle Manager support)
CVE-2018-8008
Component: Storm
Summary: Apache Storm arbitrary file write vulnerability.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: HDP 3.0.0, HDP 2.6.5 and earlier
Impact: Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Recommended Action: Upgrade to HDP 3.0.1 or HDP 3.1.0.