Описание
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
Отчет
This issue may affect the versions of hadoop as shipped with Red Hat Enterprise Virtualization Manager. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Virtualization 3 | jasperreports-server-pro | Under investigation | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-6 | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-esb-enterprise-7 | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-mq-enterprise-7 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.4 Medium
CVSS2
Связанные уязвимости
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
Improper Link Resolution Before File Access in Apache Hadoop
EPSS
6.4 Medium
CVSS2