====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN426
_____________________________________________________________________

DATE                : 23/12/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Hadoop versions 2.7.x,
                                 2.6.x prior to 2.7.2, 2.6.4.

=====================================================================
http://mail-archives.apache.org/mod_mbox/hadoop-general/201612.mbox/%3cCB6911C9-AC6C-44B4-9F04-E7DB86786376@hortonworks.com%3e
____________________________________________________________________

Hello,

The following security vulnerability was found and fixed in Apache
Hadoop.

[also announced on bugtraq@securityfocus.com, 
oss-security@lists.openwall.com]

-------

CVE-2016-5001: Apache Hadoop Information Disclosure

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier.

Description:

This is an information disclosure vulnerability in the short-circuit
reads feature of HDFS.
A local user on an HDFS DataNode may be able to craft a block token
that grants unauthorized read access to random files by guessing
certain fields in the token.

Mitigation:
Users on 2.7.x should upgrade to 2.7.2 or later.
Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later.

Impact:
A local user may be able to gain unauthorized read access to files.

Credit:
This issue was reported by Kihwal Lee of Yahoo Inc.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================